All the actual authentication if fine. I wouldn't rely on cookies for security. It sounds like cookies would be a "fake" security.
I was thinking about creating a logout cookie. Then, the popup would only happen if the user hacked their cookies. Shame on them. But it seems like such a hack to me. I dread it. I'm not seeing in your example how that 401 error would be generated. What would the htaccess look like? Michele -----Original Message----- From: Joe Lewis [mailto:j...@joe-lewis.com] Sent: Thursday, February 12, 2009 7:25 PM To: modules-dev@httpd.apache.org Subject: Re: Making mod_auth_digest mysql Michele Waldman wrote: > It is different that just authenticating. > > Due to an htaccess authentication implementation, it requires a work around > to prevent those pesky popups the browsers produce. > > I'm trying to do a spin on this: > http://www.berenddeboer.net/rest/authentication.html > > Implementing the mod_auth_digest authenticating against mysql was all part > of this. > > Michele > Sounds like you : a) have your work cut out for you or b) can perform the task easily using pre-existing modules. Problem 1 : If it is the "popup" login that you are trying to avoid, you can't by switching to "digest" instead of "basic" authentication. The only way around this is to inject the headers into the authentication on the SERVER side. An example module doing this is mod_auth_cookie, which takes a Cookie header (e.g. set by a PHP script) and converts it into the user credentials as if the browser had submitted basic authentication. Problem 2 : Getting the popup if the browser didn't send the credentials (or the cookie as it would inject those credentials for the authentication). The way around this is to simply redirect to the "login" page that will "set the cookie" (or whatever you are using to inject the credentials into the incoming headers). This is a configuration side : ErrorDocument 401 /login.jsp Do not do a full URL redirect, as this will send the redirect back to the browser. A local URL redirect should allow the page to send contents back (e.g. a login form). Let me try walking through an example using mod_auth_mysql, mod_auth_cookie, and PHP. The user opens their browser for the first time, and types in the website into the location bar. Browsing down into the side, they hit a page that is a protected resource according to apache. The ErrorDocument 401 kicks in using the local URI (which actually causes apache to create a sub-request to the local URI and returns the information), and returns a PHP login page. Filling out the form, and clicking submit, (remember, this will submit to what the PHP login page said to in the <form> tags), the PHP script sets a Login cookie, and sends a Location: header back to the browser telling it to bounce back to the original web page that was requested. (The PHP scripts would keep track of the Referer when it was hit, and just redirect back to it). At that point, the browser re-requests the page, but this time it submits the Login cookie. mod_auth_cookie recognizes the cookie, and injects the users credentials in the form of a Basic authentication, and passes control back to Apache. Apache then calls the mod_auth_mysql module, which verifies against the configured table. If it is wrong, it rejects the credentials and starts the ErrorDocument 401 process again. If it is right, the page is allowed. And no pesky authentication dialog box. And the cookie can be set site wide. And still hide things that should be protected from the user. Is that as clear as mud? -- Joe Lewis Chief Nerd SILVERHAWK <http://www.silverhawk.net/> (801) 660-1900 ------------------------------------------------------------------------ /Never invoke the gods unless you really want them to appear. It annoys them very much. --G.K. Chesterton/
