Re: [users@httpd] Authenticating All Requests Via A Subdomain Using Mod_Rewrite

[Joshua Slive <js...@gmail.com>]

On 7/20/05, Dukkefup Mun <du...@hotmail.com> wrote: 
> T want to configure my domain www.constructingreality.com to forward all
> incoming requests to a subdomain called
> checkpoint.constructingreality.com.  On this subdomain I am
> performing various security checks (is the users ip banned? Is the section
> of the site that they want down for maintainence? Are they allowed to have
> the file they asked for? etc).  The reason why I am doing this is because I
> want something a little more robust than what Apache currently provides
> facilities for. Once checkpoint.constructingreality.com is
> done with its work, the cgi-script handing all the functionality of that
> subdomain issues a redirect back into www.constructingreality.com which
> contains the uri of the originally requested file.  The problem I am running
> into is that once the return request reaches www.constructingreality.com,
> it's been seen as a totally new request and being immediately bounced back
> to checkpoint.constructingreality.com thus locking the
> request into and endless loop until mod_rewrite hits it's internal
> redirection limit.  This is not a desired behavior. 

This is a relatively common, but not at all simple problem.  You would
probably have better luck searching for things like "cross-domain
authentication".

The most obvious (but wrong) answer is to check the HTTP Referer
header to see where the browser came from.  This is completely
insecure and shouldn't be used.

Really, you have two separate problems:
1. How to communicate from checkpoint to www that a user is allowed access.
2. How to remember this information on www.

For the second part, you'll almost certainly need to use cookies. 
You'll need to send the user a cookie and then check it on each new
request.  There are some apache modules at http://modules.apache.org/
that can handle the cookie checking, or you can do it in your
application.

For the first part, you need to have checkpoint give something to the
browser that it can pass back to www to prove that it is
authenticated.  Again, the best idea is probably a cookie, since the
two servers are in the same domain and could share a domain cookie. 
But it could also be a special string embedded in the URL.  You'll
need to make sure that the string or cookie is cryptographically
secure.

Anyway, the punchline is: this problem is much more complicated than
you were anticipating, and you need to do some serious research into
managing sessions across servers using cookies.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org