I have a requirement to protect all pages on a website, and to only allow in users with a valid user id, password, client certificate and recognised IP.
I know this is asking a lot, but I would appreciate an overview/recommendation of approaches that are 1st safe, and 2nd fast. I think something like: Scenario 1: unauthenticated user gets authenticated 1) user hits site - no session = unauthenticated create new session, remember requested page, redirect to /login page 2) /login page: collect username/password, POST action is /authenticate 3) /authenticate page: perform checks, if all ok set $session->is_logged_in(TRUE); and redirect to originally requested page [stored in session] Scenario 2: authenticated user accesses site 1) user hits page - has session redirect to /login if ( not $session->is_logged_in() ); redirect to /login?message=inactivity+timeout if ( time-$session->last_access()>1hr ); Which seems to fit the functionality bill - users can bookmark their favourite part of the system. When they come in but have not yet authenticated, they get momentarily diverted through the /login/authenticate pages. Is this safe? How should I ensure that the sessions never get hijacked? I am thinking along the lines of an additional transient cookie issued when the session authenticates the user that contains md5(some_secret+session_id) that is also checked? And... is there already a nifty mod_perl class that does all this? I have Apache::AuthCookie working from examples, but don't know what the security implications of using it are, without reading the code [which I will do soon I guess]. I also have problems with the LOGIN POST saying POST: METHOD NOT ALLOWED when I try to get mod_perl to be the handler for Location /. Any recommendations/feedback appreciated! Even if it's a recipe I haven't yet reached! Thanks in advance, Jeff
