I've been researching what it would take to write an mp2 + Apache::AuthCookie based login system using optional client certificates. Before I start wrangling the code, I'd like to do a sanity check. Here's what I'm planning:
Unauthenticated users trying to access protected content are redirected to a page that requires certificates. The ability to require a client certificate is a feature of mod_ssl. The use of "required" certificates is preferred because most browsers won't send a certificate when it is specified as "optional". Before mp2 handlers are even called, any certificate provided by the client is handled by mod_ssl. Information about the certificate is made available by mod_ssl as request variables. If the certificate is successfully mapped to a known user, login is complete, a cookie is set, and a redirect to the protected resource is sent. If no certificate is provided, or the certificate doesn't map to a known user account, the access denied redirect is overridden to send the user to a normal login page. Login from this page is handled like any other login. Does this sound reasonable? Is the a better way that I've missed? -- Stuart Jansen <[EMAIL PROTECTED] http://buscaluz.org/ AIM:StuartMJansen> I've thought about becoming a defeatist, but I've decided it can't possibly work.
signature.asc
Description: This is a digitally signed message part
