You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Thomas Eckert <th...@gmail.com> on 2014/01/20 16:31:43 UTC

[users@httpd] Using form based authentication sessions across locations

Using form based auth, e.g.

<Location /foo>
    AuthName "forms_foo"
    AuthFormProvider my_provider
    AuthType form
    AuthFormLoginRequiredLocation "/foo_form"
    Session On
    SessionCookieName foo_cookie path=/foo/;httponly
    SessionCryptoPassphrase somereallyneatandnicepassphrase
    SessionCookieRemove On
    Require valid-user
</Location>

is it possible to "reuse" that session cookie for another path, e.g. /bar ?
With "reuse" I think of sending out a session cookie for /bar as well as
for /foo. This way, users logging in through form based auth on /foo  will
not have to log in on /bar as well.

HTTP cookies do not allow for multiple paths, so if at all one would have
to use multiple cookies. Since the cookies should carry session information
I reckon they ought to be configured via mod_session_cookie but that module
has no fitting directive. The only thing in mod_session_cookie close to
what I'm looking for is AuthFormSitePassphrase but I do need auth checks in
my custom provider to run (timeouts involved).

Any suggestions on how to go about this ?