You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Martin Moss <ma...@btopenworld.com> on 2005/11/10 16:56:33 UTC
Authentication
All,
During the Authentication phase, Any custom responses
that need to be sent back to a user, MUST be sent with
FORBIDDEN using custom_repsonse?
Under Authentication 200 (OK) simply lets Apache Move
on the to the next phase (authz, content etc..)...
I have an authen handler which uses cookies.. and only
accepts username and password submits under https...
I'm getting grief from our sysadmin that there's too
many 403's being served...
1) to redirect the user from their http request to a
https page..
2) custom response showing the login page
3) redirect user to original http page
so 3 403's when a user has no valid cookie....
Is this abnormal? Is there anything I could do to
reduce this?
Marty
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
Re: Authentication
Posted by John Wittkoski <jo...@aol.com>.
Martin Moss wrote on 11/10/05, 1:25 PM:
> Although saying that I was trying to do a set_handlers
> for the contentphase... which was being completely
> ignored by apache...
Marty,
Not sure it's related, but I had what sounds like a similar problem with
an authorization handler. I wanted to return different content if the
user wasn't authorized instead of just the normal 403 error.
Initially I was doing this:
$r->set_handlers(PerlHandler => ['Apache::MyModule::DeniedUserPage']);
Where DeniedUserPage would get called at the content phase to return the
(customized) authorization failed content.
But it didn't work. In order to get it to work I had to add:
$r->handler('perl-script');
I think it's because the url the user was requesting wasn't normally
handled by mod_perl at the content phase, so my inserting the content
handler I had to force mod_perl to catch it.
(It seems like setting a PerlHandler should automatically trigger this
to happen, but I couldn't get it to work without it. Disclaimer: This is
under mod_perl 1.26, behavior on other versions may be different.)
--John
Re: Authentication
Posted by John ORourke <jo...@versatilia.com>.
Hi Marty, I must be missing something here...
If I understand, you're timing out a login but if it does time out,
you're automatically re-authenticating without user interaction? Why
not just take away the login timeout or make it longer?
John
Martin Moss wrote:
>I'll have a think about it... But the idea is to make
>the authentication be completely invisible to the
>users page request.. so if their login times out, and
>
>
Re: Authentication
Posted by Martin Moss <ma...@btopenworld.com>.
You wouldn't believe the problems I've had with
AccessHandlers...
Although saying that I was trying to do a set_handlers
for the contentphase... which was being completely
ignored by apache...
I'll have a think about it... But the idea is to make
the authentication be completely invisible to the
users page request.. so if their login times out, and
they've just submitted a post to a message board, we
want to preserve their post throughout the
authentication and then when they're authenticated,
have the post occur and the user never have the
authentication process appear in their browser
history...
Marty
--- John ORourke <jo...@versatilia.com> wrote:
> My fault guys, not looking up the numbers - Martin
> is your admin
> complaining about too many FORBIDDENs or REDIRECTs?
>
> The only thing I can add is that I'd recommend not
> using the
> authentication pages/handler to redirect - make
> yourself an Access phase
> (eg. "if no valid cookie, redirect to HTTPS login
> page with appropriate
> parameters").
>
> John
>
>
> Perrin Harkins wrote:
>
> >On Thu, 2005-11-10 at 17:19 +0000, Martin Moss
> wrote:
> >
> >
> >>So an Authen Handler can return a REDIRECT?
> >>
> >>I use a 403 custom repsonse which is a self
> submitting
> >>page (with non javascript handling)... By doing so
> it
> >>prevent's any of the authentication pages
> appearing in
> >>IE's back button on the browser...
> >>
> >>
>
>
___________________________________________________________
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com
Re: Authentication
Posted by John ORourke <jo...@versatilia.com>.
My fault guys, not looking up the numbers - Martin is your admin
complaining about too many FORBIDDENs or REDIRECTs?
The only thing I can add is that I'd recommend not using the
authentication pages/handler to redirect - make yourself an Access phase
(eg. "if no valid cookie, redirect to HTTPS login page with appropriate
parameters").
John
Perrin Harkins wrote:
>On Thu, 2005-11-10 at 17:19 +0000, Martin Moss wrote:
>
>
>>So an Authen Handler can return a REDIRECT?
>>
>>I use a 403 custom repsonse which is a self submitting
>>page (with non javascript handling)... By doing so it
>>prevent's any of the authentication pages appearing in
>>IE's back button on the browser...
>>
>>
Re: Authentication
Posted by Perrin Harkins <pe...@elem.com>.
On Thu, 2005-11-10 at 17:19 +0000, Martin Moss wrote:
> So an Authen Handler can return a REDIRECT?
>
> I use a 403 custom repsonse which is a self submitting
> page (with non javascript handling)... By doing so it
> prevent's any of the authentication pages appearing in
> IE's back button on the browser...
I didn't answer your previous mail because I don't usually use the Auth
stuff and don't know much about it. This all sounds really fishy
though. 403 is an HTTP response you send someone when you won't let
them in. 302 is a redirect. And remember that the constants for
handler returns values like Apache::OK are NOT the same as HTTP codes.
They are internal codes for use by apache.
Also, if by self-submitting page you mean a META-REFRESH (aka client
pull), keep in mind that browsers are free to ignore this, so it's fine
as a convenience but not effective as a security measure.
- Perrin
Re: Authentication
Posted by Martin Moss <ma...@btopenworld.com>.
So an Authen Handler can return a REDIRECT?
I use a 403 custom repsonse which is a self submitting
page (with non javascript handling)... By doing so it
prevent's any of the authentication pages appearing in
IE's back button on the browser...
Marty
--- Perrin Harkins <pe...@elem.com> wrote:
> On Thu, 2005-11-10 at 16:20 +0000, John ORourke
> wrote:
> > You can avoid some redirection by having a
> non-HTTPS form which submits
> > to the HTTPS login page (although users might
> worry, no padlock icon).
> > Otherwise it's perfectly reasonable to redirect to
> a secure login. On
> > successful login simple 403 the user back to the
> page they wanted.
> > That's just one 403 per request.
>
> 403 means "Forbidden," not "Redirect."
>
> - Perrin
>
>
>
___________________________________________________________
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
Re: Authentication
Posted by Perrin Harkins <pe...@elem.com>.
On Thu, 2005-11-10 at 16:20 +0000, John ORourke wrote:
> You can avoid some redirection by having a non-HTTPS form which submits
> to the HTTPS login page (although users might worry, no padlock icon).
> Otherwise it's perfectly reasonable to redirect to a secure login. On
> successful login simple 403 the user back to the page they wanted.
> That's just one 403 per request.
403 means "Forbidden," not "Redirect."
- Perrin
Re: Authentication
Posted by John ORourke <jo...@o-rourke.org>.
Martin,
You can avoid some redirection by having a non-HTTPS form which submits
to the HTTPS login page (although users might worry, no padlock icon).
Otherwise it's perfectly reasonable to redirect to a secure login. On
successful login simple 403 the user back to the page they wanted.
That's just one 403 per request.
Finally set "ErrorDocument 401 /your/login/page" on the HTTPS site -
note its a relative URL so the redirect is done internally.
This is good behavious IMHO, it means a failed login page won't be
cached by anything or treating as a hit in the web stats.
(when using customer ErrorDocument remember Internet Exploder will only
display a custom error doc if its size is >512 bytes)
John
Martin Moss wrote:
>All,
>
>During the Authentication phase, Any custom responses
>that need to be sent back to a user, MUST be sent with
>FORBIDDEN using custom_repsonse?
>
>Under Authentication 200 (OK) simply lets Apache Move
>on the to the next phase (authz, content etc..)...
>
>I have an authen handler which uses cookies.. and only
>accepts username and password submits under https...
>
>I'm getting grief from our sysadmin that there's too
>many 403's being served...
>
>1) to redirect the user from their http request to a
>https page..
>2) custom response showing the login page
>3) redirect user to original http page
>
>so 3 403's when a user has no valid cookie....
>Is this abnormal? Is there anything I could do to
>reduce this?
>
>Marty
>
>
>
>
>___________________________________________________________
>To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
>
>
>