You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Jeff AA <ja...@aquabolt.com> on 2002/05/14 10:06:30 UTC
mod_perl: User Authentication recommendations requested
I have a requirement to protect all pages on a website, and to only
allow in users with a valid user id, password, client certificate and
recognised IP.
I know this is asking a lot, but I would appreciate an
overview/recommendation of approaches that are 1st safe, and 2nd fast.
I think something like:
Scenario 1: unauthenticated user gets authenticated
1) user hits site - no session = unauthenticated
create new session, remember requested page, redirect to /login page
2) /login page: collect username/password, POST action is /authenticate
3) /authenticate page: perform checks, if all ok set
$session->is_logged_in(TRUE);
and redirect to originally requested page [stored in session]
Scenario 2: authenticated user accesses site
1) user hits page - has session
redirect to /login if ( not $session->is_logged_in() );
redirect to /login?message=inactivity+timeout if (
time-$session->last_access()>1hr );
Which seems to fit the functionality bill - users can bookmark their
favourite part of the system. When they come in but have not yet
authenticated, they get momentarily diverted through the
/login/authenticate pages.
Is this safe?
How should I ensure that the sessions never get hijacked?
I am thinking along the lines of an additional transient cookie issued
when
the session authenticates the user that contains
md5(some_secret+session_id) that
is also checked?
And... is there already a nifty mod_perl class that does all this? I
have Apache::AuthCookie working from examples, but don't know what the
security implications of using it are, without reading the code [which I
will do soon I guess]. I also have problems with the LOGIN POST saying
POST: METHOD NOT ALLOWED when I try to get mod_perl to be the handler
for Location /.
Any recommendations/feedback appreciated! Even if it's a recipe I
haven't yet reached!
Thanks in advance,
Jeff
RE: mod_perl: User Authentication recommendations requested
Posted by Jeff Armstrong <je...@bircholme.com>.
And then he reads on p360 that there are tantalising recipes in chapter
13...
I would still appreciate the lists thoughts and experience.
-----Original Message-----
From: Jeff AA [mailto:jaa.perl@aquabolt.com]
Sent: 14 May 2002 09:07
To: modperl@perl.apache.org
Subject: mod_perl: User Authentication recommendations requested
I have a requirement to protect all pages on a website, and to only
allow in users with a valid user id, password, client certificate and
recognised IP.
I know this is asking a lot, but I would appreciate an
overview/recommendation of approaches that are 1st safe, and 2nd fast.
I think something like:
Scenario 1: unauthenticated user gets authenticated
1) user hits site - no session = unauthenticated
create new session, remember requested page, redirect to /login page
2) /login page: collect username/password, POST action is /authenticate
3) /authenticate page: perform checks, if all ok set
$session->is_logged_in(TRUE);
and redirect to originally requested page [stored in session]
Scenario 2: authenticated user accesses site
1) user hits page - has session
redirect to /login if ( not $session->is_logged_in() );
redirect to /login?message=inactivity+timeout if (
time-$session->last_access()>1hr );
Which seems to fit the functionality bill - users can bookmark their
favourite part of the system. When they come in but have not yet
authenticated, they get momentarily diverted through the
/login/authenticate pages.
Is this safe?
How should I ensure that the sessions never get hijacked?
I am thinking along the lines of an additional transient cookie issued
when
the session authenticates the user that contains
md5(some_secret+session_id) that
is also checked?
And... is there already a nifty mod_perl class that does all this? I
have Apache::AuthCookie working from examples, but don't know what the
security implications of using it are, without reading the code [which I
will do soon I guess]. I also have problems with the LOGIN POST saying
POST: METHOD NOT ALLOWED when I try to get mod_perl to be the handler
for Location /.
Any recommendations/feedback appreciated! Even if it's a recipe I
haven't yet reached!
Thanks in advance,
Jeff