Hi,
I've got a modified version of Ken Williams' Apache::AuthCookie that works
with munged URLs. This module also will work without a login script, so it
can act as a simple session manager that works with cookies or URLs. So,
you can have it require a login in one section of your site, and just
manage sessions in another.
I haven't had the time lately to run it though the paces as I would like,
but I am using it. Ken showed some interest in looking at it early on, but
I haven't been able to get in touch with him in a while. So if anyone else
would like to test it, it can be found at:
http://www.hank.org/modules/AuthCookieURL-0.02.tar.gz
I've had a few people ask about it, but I'd rather someone here try it
before releasing it to anyone else. As it's simply a few modifications of
Ken's code, I'd like him to review it too.
If you do look at it, please look over the module itself. There's more
notes and questions in the code than in the documentation, and I'm sure
someone more experienced than I will spot improvements.
Lastly, I'm not a big fan of URL munged sessions, but I have some clients
where cookies are disable. There's a bunch of issues with munged URLs that
I'd rather not have to worry about. Oh well.
NAME
Apache::AuthCookieURL - Perl Authentication and Authorization via
cookies or URL munging
SYNOPSIS
In httpd.conf
PerlModule Apache::AuthCookieURLHandler
# Or to use simple session generation w/o persistence
#PerlModule Apache::AuthCookieURL
# Send expires with cookie
PerlSetVar WhateverExpires +90d
# Other cookie settings
#PerlSetVar WhateverDomain some.domain
# This can only be set to "/" if using URL sessions
#PerlSetVar WhateverPath /path
#PerlSetVar WhateverSecure 1
# Login script to call
PerlSetVar WhateverLoginScript /login.pl
# Or for just session management without a login script
#PerlSetVar WhateverLoginScript NONE
PerlSetVar AuthCookieURLDebug 5
# Disable cookies (only URL based sessions)
#PerlSetVar WhateverNoCookie 1
# This block enables URL session handling: "MISSING" can be anything
PerlTransHandler Apache::AuthCookieURLHandler->URLsession
ErrorDocument 302 /MISSING
ErrorDocument 301 /MISSING
<Location /MISSING>
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->error_document
</Location>
<Location /protected>
AuthType Apache::AuthCookieURLHandler
AuthName Whatever
PerlAuthenHandler Apache::AuthCookieURLHandler->authenticate
PerlAuthzHandler Apache::AuthCookieURLHandler->authorize
require valid-user
</Location>
# provide access to some areas
<Location /protected/open>
AuthName none
</Location>
<Location /images>
AuthName none
</Location>
# Make sure the login script can be run
<Files login.pl>
Options +ExecCGI
SetHandler perl-script
PerlHandler Apache::Registry
</Files>
# LOGIN is the action defined by the login.pl script
<Files LOGIN>
AuthType Apache::AuthCookieURLHandler
AuthName Whatever
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->login
</Files>
# better to just invalidate the session, of course
<Files LOGOUT>
AuthType Apache::AuthCookieURLHandler
PerlSetVar WhateverLogoutURI /
AuthName Whatever
SetHandler perl-script
PerlHandler Apache::AuthCookieURLHandler->logout
</Files>
DESCRIPTION
** Warning: beta software. This should be used for testing purposes
only. I'm sure the interface will change (or disappear) without notice.
Please report any problems or comments back to Bill Moseley
<[EMAIL PROTECTED]>
This module is a modification of Ken Williams <[EMAIL PROTECTED]>
Apache::AuthCookie. Please see perldoc Apache::AuthCookie for complete
instructions. As this is intended to be a drop-in replacement for
Apache::AuthCookie you may wish to install and test with Ken's
Apache::AuthCookie before trying AuthCookieURL.
Basically, this module allows you to catch any unauthenticated access
and redirect to a login script that you define. The login script posts
credentials (e.g. username and password) and your script can then
validate and provide a session key. The session key is sent in a cookie,
and also in a munged URL and a redirect is issued and the process starts
all over. (Now you see why you should install Ken's documentation!)
Apache::AuthCookieURL adds the following changes to Apache::AuthCookie.
* URL munging
If the PerlTransHandler is enabled in httpd.conf the session key
will also be placed in the URL. The session will be removed from the
URL if cookies are enabled on the next request. Typically, someone
visiting your site with cookies enabled will never see the munged
URL.
* Simple Session Management
If the login script is set to `NONE' with PerlSetVar
WhateverLoginScript NONE then Apache::AuthCookeURL acts like a
simple session manager: your script will provide a new session key
if one is not provided with the request, or if the one provided is
invalid.
* Really Simple Session Management
Apache::AuthCookieURL provides default authen_cred() and
authen_ses_key() methods that generates a (questionably) random
session key. This means you can use AuthCookieURL directly without
subclassing for really simple session management without any
persistence of session keys.
To make URL sessions work you should use relative links in your
documents.
Unless you are not subclassing this module (and using the default
methods provide), your module must define two methods. Again, please see
Apache::AuthCookie for complete documentation.
* authen_cred()
This method verifies the credentials and returns a session key. If
the credentials are not acceptable then you can return a list, with
the second element being an error message that is placed in a
cookie. This allows your login script to display a failure reason.
This method is needed since a redirect is done before your login
script is executed again.
A better (?) method is to return a session key that is really an
error code and generate messages based on the error code.
* authen_ses_key()
This method's job is to validate and convert a session key into a
username and return it. AuthCookieURL places the returned value into
$ENV{REMOTE_USER}.
WARNING
URL munging has security issues. Session keys can get written to access
logs, cached by browsers, leak outside your site, and are broken if your
pages use absolute links to other pages on-site.
TO DO
Apache::AuthCookieURL uses error documents to try to fixup any
redirects. The obvious example is when a request is made for a directory
without a trailing slash and Apache issues a redirect. (Actually,
AuthCookieURL tries to detect this case and rewrite the URL before
Apache redirects.) I wish I knew a better way to fixup Location: headers
in redirects without sub-requesting every request.
Bill Moseley
mailto:[EMAIL PROTECTED]
