You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apreq-dev@httpd.apache.org by Eli Marmor <ma...@netmask.it> on 2005/09/22 14:11:33 UTC
Session/Cookie-Based Authentication Library
[cross-posting to apache-modules and apreq-dev; Please respond even if
you are subscribed only to one of them]
Hi,
I'm looking for a good and popular C library to help authenticate users
based on cookies/session (please don't confuse with HTTP auth).
While there are MANY such libraries for PHP, there are only 3-4 for C
(WebAuth, mod_auth_tkt, etc.).
Before I download all of them, compile them, install them, learn them,
try them, and then compare them, can anybody recommend the best and/or
popular one?
I don't care if it serves Apache modules or CGI bins; both serve my
need.
By the way: it may be based on libapreq2. And if I come into it, then
what about the following idea: to add some authentication functions to
libapreq2; In any case, it already does most of the work, including
GET/POST parameter manipulation, as well as cookie manipulation.
Thanks,
--
Eli Marmor
marmor@netmask.it
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Session/Cookie-Based Authentication Library
Posted by Jonathan Vanasco <jv...@mastersofbranding.com>.
call me crazy, but putting that in libapreq2 seems like it would:
bloat the code with unnecessary api functions (as not everyone would
use it - i only use session stuff on 1 of 4 projects that are running
under libapreq)
create new avenues for bugs
add new functions/logic for the developers to maintain, making
releases further apart
your idea sounds like a perfect plan for a seperate, yet libapreq2
dependent authentication library - which would not only nullify any
negative impact it could have on libapreq, but offer customization and
be really badass
On Sep 22, 2005, at 9:57 AM, Eli Marmor wrote:
> Sorry for being not enough clear: I didn't speak about HTTP
> authentication, and even not about a library doing the authentication
> for you. All I spoke was about some convenient routines that may save
> 80% of the work for people who implement cookies-based or session-based
> authentication.
Re: Session/Cookie-Based Authentication Library
Posted by Max Kellermann <ma...@duempel.org>.
On 2005/09/22 15:57, Eli Marmor <ma...@netmask.it> wrote:
> Sorry for being not enough clear: I didn't speak about HTTP
> authentication, and even not about a library doing the authentication
> for you. All I spoke was about some convenient routines that may save
> 80% of the work for people who implement cookies-based or session-based
> authentication.
I had understood well what you wanted.
> The username and the password are received from the user by a POST
> request, optionally encrypted (by SSL, or by JavaScript, etc.). From
> now on, the programmer "marks" the session, so following requests will
> be identified as coming from this specific user. This can be done in
> two ways: by setting a unique cookie (usually temporary), or by adding
> a unique hidden "&arg=val" to following requests/responses
> ("sessionization").
That's already a lot of assumptions you're making about the
authentication process, which a generic library like libapreq should
not know of.
Why do you want to add that to libapreq, instead of an add-on library?
An additional library can do the same job in saving this 80% of
people's work you spoke of. Note: we agree that there is a demand for
such a library / module, and that using libapreq makes sense.
Max
Re: Session/Cookie-Based Authentication Library
Posted by Eli Marmor <ma...@netmask.it>.
Max Kellermann wrote:
>
> On 2005/09/22 14:11, Eli Marmor <ma...@netmask.it> wrote:
> > By the way: it may be based on libapreq2. And if I come into it,
> > then what about the following idea: to add some authentication
> > functions to libapreq2; In any case, it already does most of the
> > work, including GET/POST parameter manipulation, as well as cookie
> > manipulation.
>
> I believe we should not add anything about authentication to libapreq.
> It is currently a generic request parser, and should stay so. Adding
> authentication would require to make assumptions about the
> authentication procedure, which in turn forces users to follow our
> assumptions.
>
> There is no disadvantage in implementing authentication in an
> additional library.
Sorry for being not enough clear: I didn't speak about HTTP
authentication, and even not about a library doing the authentication
for you. All I spoke was about some convenient routines that may save
80% of the work for people who implement cookies-based or session-based
authentication.
And I'll add a brief explanation for people who don't control exactly
how this authentication works:
The username and the password are received from the user by a POST
request, optionally encrypted (by SSL, or by JavaScript, etc.). From
now on, the programmer "marks" the session, so following requests will
be identified as coming from this specific user. This can be done in
two ways: by setting a unique cookie (usually temporary), or by adding
a unique hidden "&arg=val" to following requests/responses
("sessionization").
There must be a special URL/module/whatever for logout.
Cookies may be not temporary, so following accesses to the site, will
cause the "username" field of the login form to be initialized with the
value from the previous time (of course, this is optional).
While it's easy to describe this mechanism, its implementation (without
the help of any library) is hard. Implementation based on a library
like libapreq2 saves the effort by at least 50%. All I suggested was to
add some convenient routines that will ease this effort further. For
example, a function to create an encrypted code to be used as the
unique cookie or session-id. Or obtaining the code from a request. Or
getting the username out of a request struct. Or using the input filter
to "consume" the session-id from the QUERY_STRING (or the POST params)
so filters/modules following in the chain will not see it.
This extra API is so thin, and will be very easy to code, because most
of its work is already done by lower level functions of libapreq2.
--
Eli Marmor
marmor@netmask.it
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-5237338 Kfar-Saba 44641, Israel
Re: Session/Cookie-Based Authentication Library
Posted by Max Kellermann <ma...@duempel.org>.
On 2005/09/22 14:11, Eli Marmor <ma...@netmask.it> wrote:
> By the way: it may be based on libapreq2. And if I come into it,
> then what about the following idea: to add some authentication
> functions to libapreq2; In any case, it already does most of the
> work, including GET/POST parameter manipulation, as well as cookie
> manipulation.
I believe we should not add anything about authentication to libapreq.
It is currently a generic request parser, and should stay so. Adding
authentication would require to make assumptions about the
authentication procedure, which in turn forces users to follow our
assumptions.
There is no disadvantage in implementing authentication in an
additional library.
Max
Re: Summary: [apache-modules] Session/Cookie-Based Authentication
Library
Posted by Bojan Smojver <bo...@rexursive.com>.
On Sun, 2005-09-25 at 18:45 +0300, Eli Marmor wrote:
> If anybody else has anything to add about the differences between these
> library, or even about another library which does the work, please
> speak now or forever hold your peace ;-) (just kidding...)
Only because of the "forever hold your peace" bit... :-)
Yours truly has written mod_spin (and this is therefore a shameless
plug), which can also be used for such a purpose in conjunction with one
of its applications, spin_auth. For now (as of version 1.0.10), only
pages that are mod_spin templates can be authenticated using this code.
New development code (unreleased mod_spin 1.1.0) can provide
authentication for any URL.
The whole thing is based on regular Apache basic authentication, so
whatever Apache supports, this supports. One creates a URL that is going
to be the authentication point and if the user gets in, this is recorded
in the session file (this can be shared between servers if you have a
clustered file system like GFS). This authentication can be over SSL/TLS
(i.e. to prevent basic authentication being ripped to shreds), although
the site can be a plain HTTP site.
The cookie is base on mod_unique_id, but it is accompanied by an MD5
digest of itself and a salt (at least 30 characters) defined in the
configuration file. The salts can be periodically rotated by an external
script to further strengthen the digest. This requires a graceful
restart of the server (which can be, of course, done under load -
compliments of Apache developer :-).
How good/bad and how (in)secure this whole thing is, you will have to
judge for yourself, as this is not really a community project, but my
own little concoction. The code is licensed under the GPL with exception
to link with Apache and libapreq2.
--
Bojan
Re: Summary: [apache-modules] Session/Cookie-Based Authentication
Library
Posted by "Philip M. Gollucci" <pg...@p6m7g8.com>.
Eli Marmor wrote:
> As for the long run, I plan to write my own piece of code, based on
> libapreq2; I plan to open it, of course.
>
> Meanwhile, I want to thank Ian and Reginald for their generous help!
I've seen lots of people ask for this.
It might not be bad idea to make a libapreq2-util code base for things like this
that depends on libapreq2. Similiar to the apr, apr-util setup ?
I guess that would go in:
asf/httpd/apreq-util/trunk ?
--
END
------------------------------------------------------------
What doesn't kill us can only make us stronger.
Nothing is impossible.
Philip M. Gollucci (pgollucci@p6m7g8.com) 301.254.5198
Consultant / http://p6m7g8.net/Resume/
Senior Developer / Liquidity Services, Inc.
http://www.liquidityservicesinc.com
http://www.liquidation.com
http://www.uksurplus.com
http://www.govliquidation.com
http://www.gowholesale.com
Summary: [apache-modules] Session/Cookie-Based Authentication Library
Posted by Eli Marmor <ma...@netmask.it>.
[cross posting to two mailing lists]
So far I've received two recommendations about a C library to help
authenticate users based on cookies (and optionally IP/URL/etc.):
Reginald De Crombrugghe recommended mod_auth_tkt (one of the libraries
which were mentioned in my original question), and Ian Holsman (core
developer of Apache httpd) recommended mod_auth_mda.
There are many alternatives, but the amazing point that I found out
immediately after looking at these two libraries, was that they are a
fork of the same base (which was called mod_auth_tkt).
Meanwhile, since the fork, both have added features and changes, so
I'll have to investigate these changes and adopt the better one.
By the way, both support only cookies based sessions.
If anybody else has anything to add about the differences between these
library, or even about another library which does the work, please
speak now or forever hold your peace ;-) (just kidding...)
As for the long run, I plan to write my own piece of code, based on
libapreq2; I plan to open it, of course.
Meanwhile, I want to thank Ian and Reginald for their generous help!
--
Eli Marmor
marmor@netmask.it
Netmask (El-Mar) Internet Technologies Ltd.
__________________________________________________________
Tel.: +972-9-766-1020 8 Yad-Harutzim St.
Fax.: +972-9-766-1314 P.O.B. 7004
Mobile: +972-50-5237338 Kfar-Saba 44641, Israel