Hi.
Without going into the details of your code, I believe that what you are bumping against
may be the very nature of HTTP.
In your scheme, you need 2 consecutive interactions with the user, and the second one
needs to be able to "remember" what the first one was.
The basic logic of HTTP goes against that : each request/response cycle is totally
independent of the others, and there is no "memory" kept between two transactions.
At least not by HTTP itself. Think that between your first interaction, and the second,
there may have been 1000 other request/response cycles happening for other users.
So the only way to do this, is by super-imposing some kind of "session" mechanism, whereby
the server can detect, on the second request, that there has been a first one, and what
its results were.
There are various such schemes, but the simplest mechanism for doing that is probably via
cookies.
Your first request/response should set a "step 1 cookie", which is detected and read by
the second request/response cycle, which then modifies that cookie into a "step 2 cookie".
Your real application areas should then require the step 2 cookie for authenticating a
user and granting the resource.
I think that trying to do this by playing with the "realm", which is intimately linked to
the URL requested by the browser, is going to lead you into loops of logic.
Matt Puumala wrote:
Greetings!
I am trying to make a two-factor authentication module, built on
AuthType Basic. (google for Perfect Paper Passwords for the scheme I'm
using). To make it work, I need to be able to prompt the user to type
in two passwords sequentially.
So, the user comes to the page, apache sends "401 AuthRequired" and
the configured AuthName (this is prompt 1).
The user enters username and first password. The module verifies, and
constructs the second prompt.
In my plan, I'd like to set the AuthName for that client, then send
back "401 AuthRequired" again. The new AuthName realm is prompt 2,
which is shown to the user.
However, I'm having problems changing the AuthName.
I'm starting with extremely simple test bed, using output files to
dump data.
I expected the "Old Auth Name" to be "Testing the Thing", and the "New
Auth Name" to be "Simple String". But the Auth Name doesn't change.
This is my first apache module. Is there something in the intricacies
of the request cycle that I'm missing? Or is there some other obviously
better way to prompt for passwords sequentially?
Server: Windows XP running XAMPP.
Server version: Apache/2.2.14 (Win32)
Server built: Nov 11 2009 14:29:03
mod_perl/2.0.4 Perl/v5.10.1
------- Auth Handler Skeleton ---------------
package CustomAuth::AuthTwoPW;
use strict;
use Apache2::Const qw(:common);
use Apache2::Access ();
sub handler
{
my $r = shift;
my($res, $sent_pw) = $r->get_basic_auth_pw;
# debug output
my $FH;
open $FH, ">", "/Documents and Settings/Matt/Desktop/stuff.txt";
my $stoij = "response is " . $res . "\nSent pw is " . $sent_pw . "\n";
print $FH $stoij;
return $res if $res != OK;
my $user = $r->connection->user;
unless($user eq "matt" and $sent_pw eq "pw1")
{
print $FH "Didnt get good pw, returning AUTH_REQUIRED\n";
$r->note_basic_auth_failure;
$r->log_error("Didn't get good first password",
$r->filename);
return AUTH_REQUIRED;
}
# Got first username/pw combo. RESET, change prompts, and get next set
# reset prompts
my $oldval = $r->auth_name("Simple String");
my $newval = $r->auth_name();
print $FH "Old authname val is " . $oldval . "\n";
print $FH "New authname val is " . $newval . "\n";
# Reset headers so client auth's again
$r->note_basic_auth_failure;
# ask for second pw
return AUTH_REQUIRED;
} # closes 'handler'
1;
------- END Auth Handler Skeleton ---------------
------- Debug File Output -----------------
response is 0
Sent pw is pw1
Old authname val is Testing The Thing
New authname val is Testing The Thing
------- END Debug File Output -----------------
------- ModPerl Config ----------------------
LoadFile "C:/Documents and Settings/Matt/My
Documents/xampp/perl/bin/perl510.dll"
LoadModule perl_module modules/mod_perl.so
LoadModule apreq_module modules/mod_apreq2.so
PerlSwitches -T
PerlPostConfigRequire "C:/Documents and Settings/Matt/My
Documents/xampp/apache/conf/extra/startup.pl"
...[ snip ]...
<Directory "C:/Documents and Settings/Matt/My
Documents/xampp/htdocs/authenticatedstuff">
SetHandler perl-script
AuthName "Testing The Thing"
AuthType Basic
PerlOptions +GlobalRequest
PerlAuthenHandler CustomAuth::AuthTwoPW
require valid-user
</Directory>
# ASP settings
Include "conf/extra/asp.conf"
------- END ModPerl Config ----------------------
