Re: Summary: [apache-modules] Session/Cookie-Based Authentication Library

[Bojan Smojver <bo...@rexursive.com>]

On Sun, 2005-09-25 at 18:45 +0300, Eli Marmor wrote:

> If anybody else has anything to add about the differences between these
> library, or even about another library which does the work, please
> speak now or forever hold your peace  ;-)   (just kidding...)

Only because of the "forever hold your peace" bit... :-)

Yours truly has written mod_spin (and this is therefore a shameless
plug), which can also be used for such a purpose in conjunction with one
of its applications, spin_auth. For now (as of version 1.0.10), only
pages that are mod_spin templates can be authenticated using this code.
New development code (unreleased mod_spin 1.1.0) can provide
authentication for any URL.

The whole thing is based on regular Apache basic authentication, so
whatever Apache supports, this supports. One creates a URL that is going
to be the authentication point and if the user gets in, this is recorded
in the session file (this can be shared between servers if you have a
clustered file system like GFS). This authentication can be over SSL/TLS
(i.e. to prevent basic authentication being ripped to shreds), although
the site can be a plain HTTP site.

The cookie is base on mod_unique_id, but it is accompanied by an MD5
digest of itself and a salt (at least 30 characters) defined in the
configuration file. The salts can be periodically rotated by an external
script to further strengthen the digest. This requires a graceful
restart of the server (which can be, of course, done under load -
compliments of Apache developer :-).

How good/bad and how (in)secure this whole thing is, you will have to
judge for yourself, as this is not really a community project, but my
own little concoction. The code is licensed under the GPL with exception
to link with Apache and libapreq2.

-- 
Bojan