I haven't been using it very long, so I'm still kind of figuring out what the config directives do. Here's an example config and I'll try to explain my understanding of each one. Unfortunately, I don't have the source (that I can find, yet...) or any docs for this module, so I don't know if this is a comprehensive list: AuthPassiveEnable On AuthPassiveCookieUserName USER AuthPassiveCookiePassName PASS AuthPassiveCookieBackURL BackURL AuthPassiveLoginURL /auth/login.php AuthPassiveDBMSessFile /var/log/apache/session/session.db AuthPassiveGroups group1 Notice the "Passive" in all the directives. The point of this module is to allow passive access by bypassing the login page using cookies, once the surfer has been initially authenticated. This makes it very easy to implement a "remember me" check box on your login form. Depending on how long you store the cookies, the user could potentially come back several days later and still bypass having to enter login information. Obviously, there are security concerns, but you can control how long the cookies remain valid and also provide a "log out" link for the user to manually delete the cookies and force a login the next time around. Here is my understanding of the directives: AuthPassiveEnable Obviously used to enable/disable the module. AuthPassiveCookieUserName The name of the cookie used to store username information. AuthPassiveCookiePassName The name of the cookie used to store md5 hashed password information. AuthPassiveCookieBackURL The name of the cookie containing the protected URL the surfer was trying to access. The module sets this before redirecting to the login URL, so you can easily send the surfer back to the same protected URL after authenticating. AuthPassiveLoginURL The URL the surfer is redirected to for authentication. This is my favorite aspect of this module. It allows you to specify a custom login page, rather than the popup dialog box used by basic authentication. It gives you full .htaccess style directory protection with a custom login page that's very easy to implement. AuthPassiveDBMSessFile The path to the dbm file holding user/pass/group data used by the "passive" login mechanism. AuthPassiveGroups A list of required groups for authentication. Right now, I store user/pass/group info in a database and load that info into the dbm file when the user logs in via the custom login form. The arbitrary dbm key is stored in a cookie called SESSION. I use a 32 char random string for my dbm key/SESSION cookie value. The dbm value consists of: username,md5password,groupname,timestamp So, with the sample config above, the module uses the SESSION, USER, and PASS cookies to implement the passive authentication. However, it would be nice to just skip the dbm file altogether and have the module authenticate directly against the database. I wish mod_auth_mysql implemented some of these config options. Anyway, the more I play with it, the more I like it. It makes setting up a custom login page with "remember me" capability really easy. I just wish I could find the source or, at least, some documentation. I dabble in C, but I'm not a great C programmer. I've played with apache modules using mod_perl, but have never tried writing one in C. I don't know if decompiling the .so file would produce anything useful. If anyone is interested, I'm more than willing to share the .so file and help reverse engineer it. I'm currently running apache 1.3.33 on Debian sarge. Here's the top of my apache version info: Server version: Apache/1.3.33 (Debian GNU/Linux) Server built: Aug 27 2006 16:34:48 Server's Module Magic Number: 19990320:16 I'm just afraid that when I eventually upgrade apache, I'm going to lose the capabilities of this module. I think it has the potential to be pretty popular, once people learn what it can do -- especially if it's paired with database capabilities like mod_auth_mysql offers. Thanks, --jeff > > > I'm not sure I understand what it does, could you elaborate? > > If it's that useful maybe you should contact the Apache people and share it? > > > > > At 03:05 PM 11/2/2007, you wrote: >>Thanks, Nick. >> >>Unfortunately, it actually works quite well. I was hoping to continue using >>it after upgrading. It has a nice feature that allows you to specify a >> login >>URL, rather than using the basic popup box. I haven't looked around >>recently, but are there any other mod_auth modules that have a login URL >>configuration directive like this? >> >>--jeff --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|