Apache sessions providing authentication.
oscarb at netspeed.com.au
Thu Mar 13 23:55:31 EST 2003
Not sure if it's what your looking for, but this sound like what J2EE
servers do (or at least IBM's WebSphere - which ships with Apache as the
web server frontend. Don't know much about the others).
It will require a little programming to trap no session & redirect to
login page; and to connect to a data source for user info. The rest is
pretty much out of the box or requires a little configuration. BUT you
will have to work in Java (servlets, JSP, JDBC). And WebSphere has
fairly demanding h/w requirements, not to mention a fairly demanding price.
Michael James wrote:
>Anyone know of an Apache authorization module that's session based?
>It works like this:
>Any get without a session identifying cookie
> gets shunted to a login page to get one.
>That page is a CGI so it can back end into anything.
>Maybe PAM maybe LDAP.
>The cookie has nothing but a big random
> hard to guess session number in it.
>The username and rights are stored in a table on the server.
> (200 users, 1/2 hour timeouts, it's no problem)
>GETs on CGI and PHP scrips get loaded with
> session persistent variables by the auth module
> a la Java Beans.
>Every 10 minutes your cookie is silently refreshed.
> (This allows some detection of cookie stealing)
>If you go over the 1/2 hour without a GET;
> back to the login to revive your session.
>Seems secure and obvious but I can't find it,
>Michael James michael.james at csiro.au
>System Administrator voice: 02 6246 5040
>CSIRO Bioinformatics Facility fax: 02 6246 5166
More information about the linux