Apache sessions providing authentication.
michael at james.st
Thu Mar 13 20:24:43 EST 2003
Anyone know of an Apache authorization module that's session based?
It works like this:
Any get without a session identifying cookie
gets shunted to a login page to get one.
That page is a CGI so it can back end into anything.
Maybe PAM maybe LDAP.
The cookie has nothing but a big random
hard to guess session number in it.
The username and rights are stored in a table on the server.
(200 users, 1/2 hour timeouts, it's no problem)
GETs on CGI and PHP scrips get loaded with
session persistent variables by the auth module
a la Java Beans.
Every 10 minutes your cookie is silently refreshed.
(This allows some detection of cookie stealing)
If you go over the 1/2 hour without a GET;
back to the login to revive your session.
Seems secure and obvious but I can't find it,
Michael James michael.james at csiro.au
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
More information about the linux