[users@httpd] Basic allow/deny based on cookies

[Santiago DIEZ <sa...@caoba.fr>]

Hello,

Note: I'm a system administrator and I don't know that much about web
developement. So I host what others develop.

I'm trying to setup a web server with an application like this :

*/var/www/public*

   - It would be publicly accessible. Meaning any computer can load the
   content and I leave it to the php developer to control access within that
   directory.
   - I know how to do that. It's just a basic web server.

*/var/www/exhibition*

   - It has to be accessible only to specific computers located in an
   exhibition room.
   - I cannot rely on the ip address because the exhibition will move from
   place to place.
   - I need to avoid any manual authentication because people will probably
   mess around with the computers and access to the web application has to
   resume as soon as the computer is restarted. No one should have to enter a
   password.
   - Then I had the idea that it could be a cookie file that I store in
   each authorized workstations. There's a security issue in the sense that
   one could somehow transfer the cookie file to his system and hence get
   access to the private area. But we're not that concerned and we're not
   dealing with nuclear material anyway. So no big deal.


*Questions*

   - Is my idea considerable ?
   - I've read documentation of mod_access_compat
   <http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html> and
   mod_usertrack <http://httpd.apache.org/docs/2.4/mod/mod_usertrack.html>
   but I don't see how to make them work together. Can anyone point me in the
   right direction ?
   - I'm open to other suggestions given they fall into the constraints I
   mentioned above.


Thanks for your help

Regards
-------------------------
*Santiago DIEZ*
-------------------------

<http://www.google.com/url?q=http%3A%2F%2Fsantiago.news.free.fr%2Flogo.png&sa=D&sntz=1&usg=AFrqEzfmW2Io3OI5IqEGiVeDRebZgD4TaQ>
-------------------------
*Quark Systems & CAOBA*

*23 rue du Buisson Saint-Louis, 75010 Paris*-------------------------

Re: [users@httpd] Basic allow/deny based on cookies

[Igor Cicimov <ic...@gmail.com>]

> Questions
> Is my idea considerable ?
> I've read documentation of mod_access_compat and mod_usertrack but I
don't see how to make them work together. Can anyone point me in the right
direction ?
> I'm open to other suggestions given they fall into the constraints I
mentioned above.

Regardong cookie authentication using something like
libapache2-mod-auth-memcookie (Debian/Ubuntu) in SSL host should provide
what you want. The ssl should protect you from traffic sniffing and MITM.

The suggestion of using client ssl certificates will also do the trick but
that requiers setting up PKI and self signed CA, or CA signed by official
authority depends on how important the certificate verification is for you.
The apache config is then explained in Apache 2.x official documentation.
The link sent to you in the previous reply should also do.

Only other autologin option I can think of might be basic apache
authentication and then you put the encripted username and password in the
url or query string. Then you can put this url as a shortcat on each client
station desktop. But in this case you will expose the url in the browser
bar and the shortcat so again you will need to trust yhe users they are not
going to steal it.

Re: [users@httpd] Basic allow/deny based on cookies

[Santiago DIEZ <sa...@caoba.fr>]

Hi Julien,

Thanks for the idea.
Sounds very promising although quite hard to get into to me.
I'll definitely thoroughly study the case.
Is this the page <http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html>
related to your proposal?

Still, if anyone has an easier solution, I'm interested. Again, strong
security is not required. Just something that allows the server to allow
browsing only to specific computers.

Regards
-------------------------
*Santiago DIEZ*
*+33 6 37 90 81 98*
-------------------------

<http://www.google.com/url?q=http%3A%2F%2Fsantiago.news.free.fr%2Flogo.png&sa=D&sntz=1&usg=AFrqEzfmW2Io3OI5IqEGiVeDRebZgD4TaQ>
-------------------------
*Quark Systems & CAOBA*

*23 rue du Buisson Saint-Louis, 75010 Paris*-------------------------

On Wed, Nov 5, 2014 at 10:54 AM, Julien Etter <ju...@juno.co.uk>
wrote:

>    A better approach would be to use Client Certificate Authentication /
> Access Control
>
>
>  ------------------------------
>
> *From:* Santiago DIEZ [mailto:santiago.diez@caoba.fr]
> *Sent:* 05 November 2014 09:01
> *To:* Apache HTTP Users LIST
> *Subject:* [users@httpd] Basic allow/deny based on cookies
>
>
>
> Hello,
>
> Note: I'm a system administrator and I don't know that much about web
> developement. So I host what others develop.
>
>
>
> I'm trying to setup a web server with an application like this :
>
> */var/www/public*
>
>    - It would be publicly accessible. Meaning any computer can load the
>    content and I leave it to the php developer to control access within that
>    directory.
>    - I know how to do that. It's just a basic web server.
>
>  */var/www/exhibition*
>
>    - It has to be accessible only to specific computers located in an
>    exhibition room.
>    - I cannot rely on the ip address because the exhibition will move
>    from place to place.
>    - I need to avoid any manual authentication because people will
>    probably mess around with the computers and access to the web application
>    has to resume as soon as the computer is restarted. No one should have to
>    enter a password.
>    - Then I had the idea that it could be a cookie file that I store in
>    each authorized workstations. There's a security issue in the sense that
>    one could somehow transfer the cookie file to his system and hence get
>    access to the private area. But we're not that concerned and we're not
>    dealing with nuclear material anyway. So no big deal.
>
>
> *Questions*
>
>    - Is my idea considerable ?
>    - I've read documentation of mod_access_compat
>    <http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html> and
>    mod_usertrack <http://httpd.apache.org/docs/2.4/mod/mod_usertrack.html>
>    but I don't see how to make them work together. Can anyone point me in the
>    right direction ?
>    - I'm open to other suggestions given they fall into the constraints I
>    mentioned above.
>
>
>
> Thanks for your help
>
>
>
> Regards
>
> -------------------------
> *Santiago** DIEZ*
> -------------------------
>
> <http://www.google.com/url?q=http%3A%2F%2Fsantiago.news.free.fr%2Flogo.png&sa=D&sntz=1&usg=AFrqEzfmW2Io3OI5IqEGiVeDRebZgD4TaQ>
> -------------------------
> *Quark Systems & CAOBA*
>
> *23 rue du Buisson Saint-Louis, 75010 Paris *-------------------------
>

RE: [users@httpd] Basic allow/deny based on cookies

[Julien Etter <ju...@juno.co.uk>]

A better approach would be to use Client Certificate Authentication / Access
Control

 

  _____  

From: Santiago DIEZ [mailto:santiago.diez@caoba.fr] 
Sent: 05 November 2014 09:01
To: Apache HTTP Users LIST
Subject: [users@httpd] Basic allow/deny based on cookies

 

Hello,

Note: I'm a system administrator and I don't know that much about web
developement. So I host what others develop.

 

I'm trying to setup a web server with an application like this :

/var/www/public

*	It would be publicly accessible. Meaning any computer can load the
content and I leave it to the php developer to control access within that
directory.
*	I know how to do that. It's just a basic web server.

/var/www/exhibition

*	It has to be accessible only to specific computers located in an
exhibition room.
*	I cannot rely on the ip address because the exhibition will move
from place to place.
*	I need to avoid any manual authentication because people will
probably mess around with the computers and access to the web application
has to resume as soon as the computer is restarted. No one should have to
enter a password.
*	Then I had the idea that it could be a cookie file that I store in
each authorized workstations. There's a security issue in the sense that one
could somehow transfer the cookie file to his system and hence get access to
the private area. But we're not that concerned and we're not dealing with
nuclear material anyway. So no big deal.


Questions

*	Is my idea considerable ?
*	I've read documentation of mod_access_compat
<http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html>  and
mod_usertrack <http://httpd.apache.org/docs/2.4/mod/mod_usertrack.html>  but
I don't see how to make them work together. Can anyone point me in the right
direction ?
*	I'm open to other suggestions given they fall into the constraints I
mentioned above.

 

Thanks for your help

 

Regards


-------------------------
Santiago DIEZ
-------------------------
 
<https://docs.google.com/a/caoba.fr/uc?id=0B0zheqBR5b4-NGFlNzI0MDQtMGZiZi00N
GZkLWJjOGItZjU0YWE4NDE2MWYw>
<http://www.google.com/url?q=http%3A%2F%2Fsantiago.news.free.fr%2Flogo.png&s
a=D&sntz=1&usg=AFrqEzfmW2Io3OI5IqEGiVeDRebZgD4TaQ> 
-------------------------
Quark Systems & CAOBA
23 rue du Buisson Saint-Louis, 75010 Paris
-------------------------