Apache sessions providing authentication.

Michael James michael at james.st
Thu Mar 13 20:24:43 EST 2003

Dear Linuxers,

Anyone know of an Apache authorization module that's session based?

It works like this:
Any get without a session identifying cookie
 gets shunted to a login page to get one.
That page is a CGI so it can back end into anything.
Maybe PAM maybe LDAP.

The cookie has nothing but a big random
 hard to guess session number in it.
The username and rights are stored in a table on the server.
 (200 users, 1/2 hour timeouts, it's no problem)

GETs on CGI and PHP scrips get loaded with
 session persistent variables by the auth module
 a la Java Beans.

Every 10 minutes your cookie is silently refreshed.
 (This allows some detection of cookie stealing)

If you go over the 1/2 hour without a GET;
 back to the login to revive your session.

Seems secure and obvious but I can't find it,

Michael James				michael.james at csiro.au
System Administrator			voice:	02 6246 5040
CSIRO Bioinformatics Facility	fax:		02 6246 5166

More information about the linux mailing list