You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tosh Cooey <to...@1200group.com> on 2009/09/14 11:07:25 UTC
[users@httpd] htaccess using AuthCookieDBI not protecting the directory index
Hi, I posted the follow to the mod_perl list:
I'm trying to protect a directory using Apache2::AuthCookieDBI with the
following .htaccess (I have to use htaccess)
--------------------
PerlModule Apache2::AuthCookieDBI
PerlSetVar berlinPath /berlin/
PerlSetVar berlinLoginScript /login.pl
PerlSetVar berlinSessionTimeout +2h
PerlSetVar berlinDBI_DSN "DBI:mysql:database=berlin"
PerlSetVar berlinDBI_SecretKey "secret"
# DBI access stuff...
PerlSetVar berlinDBI_User "user"
... etc ...
# Protected by AuthCookieDBI.
AuthType Apache2::AuthCookieDBI
AuthName berlin
PerlAuthenHandler Apache2::AuthCookieDBI->authenticate
PerlAuthzHandler Apache2::AuthCookieDBI->authorize
require valid-user
# Login location.
<Files LOGIN>
AuthType Apache2::AuthCookieDBI
AuthName berlin
SetHandler perl-script
PerlHandler Apache2::AuthCookieDBI->login
</Files>
--------------------
When I go to my protected URL www.myserver.com/berlin/ I am presented
with the login form which I've added some status variables to, the
status is that there is no cookie present, which is to be expected since
nothing has been set yet. Once I send authentication variables I am
still not logged in and I'm given a new URL
www.myserver.com/berlin/LOGIN which is still expected behaviour, but the
status variable is still "no cookie" which means no cookie is being
set. This makes me suspect that I am just dumb and doing something
super-basic wrong, but I can't figure it out.
Vegard Vesterheim on the mod_perl list suggested the cause was "related
to Apache issuing subrequests for directory requests. Check out this
thread: http://marc.info/?t=119996312400002&r=1&w=2 "
If this is true then I have trouble believing that this issue hasn't
been addressed at the module level (AuthCookieDBI) since protecting
various directories seems pretty standard.
Anyway, my solution for now is to just protect the *.pl files <Files ~
"\.(pl)$"> and redirect the index to index.pl which is not elegant but
works. Is there a better way?
Thank-you!
Tosh
--
McIntosh Cooey - Twelve Hundred Group LLC - http://www.1200group.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess using AuthCookieDBI not protecting the
directory index
Posted by André Warnier <aw...@ice-sa.com>.
André Warnier wrote:
> Tosh Cooey wrote:
> ...
> Hi.
> Does your login form page contain links to other things (for example,
> images), which are also located in the /berlin/ area, or in other
> directories/locations protected by the same authentication ?
>
>
A bit of explanation, as a complement :
I have not looked at the code of the Auth module you are using, but
usually, these modules are smart enough to skip authentication (and
return OK) when the call is made internally from within Apache, as a
sub-request.
What these modules cannot do however, is skip authentication for
multiple calls made from the browser at (about) the same time.
In other words :
- suppose your login page itself, contains a link like
<img src="/berlin/images/mylogo.gif" />.
- You ask for a protected page. The server auth module notices that it
is protected, and that there is no authentication cookie, so it sends
the login page to the browser. When the browser sees the above link in
this login page, it immediately issues another request for that image.
The server now gets another request, and notices that it is for an
object in a protected area. But it has still not received an
authentication cookie yet with that request. So it sends back the login
page...
Get it ?
The same applies for any links to stylesheets e.g.
You also get similar apparently bizarre behaviour, when the original
page requested is a frame document, with several frames residing in
protected areas. You would then get bits of login pages in each frame,
which looks ugly..
The solution to the above is either to move the image to a directory
that is not submitted to this authentication, or to tell the
authentication module - if it provides such an option - to skip
authentication for images e.g.
A browser plugin like HttpFox (for Firefox) or Fiddler2 (For IE) helps a
lot in tracking down this kind of issue.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htaccess using AuthCookieDBI not protecting the
directory index
Posted by André Warnier <aw...@ice-sa.com>.
Tosh Cooey wrote:
...
Hi.
Does your login form page contain links to other things (for example,
images), which are also located in the /berlin/ area, or in other
directories/locations protected by the same authentication ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org