mod_auth_cookie_mysql: Cookie based authentication with MySQL for Apache Webserver

sections: development · university · forum · about

date: 08.05.2024

mod_auth_cookie_mysql1, mod_auth_cookie_mysql2

| Sample Configuration

announcements

your e-mail:

this project

download

documentation

contact

forum

e-mail

global menu

all projects

mod_auth_cookie_mysql1/2

mrconf

Sample Configuration

top

This configuration file comes from a real-world example. It uses expiry and remote IP checking.

Add this to your httpd.conf. You can embed it i.e. between <Location> or <Directory> tags:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

# mod_auth_cookie_mysql1/2 module

# You may chose any name value for AuthType, i.e. "Cookie"
AuthType Cookie

# Enable the module
AuthCookieSql on

# MANDATORY. Database configuration.
AuthCookieSql_DBhost localhost
AuthCookieSql_DBuser dbuser
AuthCookieSql_DBpassword dbpassword
AuthCookieSql_DBName sessions

# MANDATORY. Database table name.
AuthCookieSql_DBtable site_session

# MANDATATORY. Database table fields configuration.
# The following 3 lines are needed. Change their value
# to the fieldnames of your table.
AuthCookieSql_SessnameField sessname
AuthCookieSql_SessvalField sesskey
AuthCookieSql_UsernameField username

# OPTIONAL. If you set a cookie name with the following
# option, only for cookies with that name will be accepted
# from the browser and are compared with the contents
# of the database. If you omit this line, all cookies sent
# by the browser are compared with the cookies stored
# in the database.
#AuthCookieSql_CookieName myCookie

# OPTIONAL. With the following option, you can check the
# age of the received cookies from the browser. If the time
# (unix timestamp) stored in the database is older than the
# actual time on the server this module is running on, the
# cookie is not accepted. Set the name of the column which
# contains the expiry information here.
AuthCookieSql_ExpiryField expiry_row

# OPTIONAL. You can set the remote IP in the database from
# where the browser may access the site. The cookie sent by
# the browser is accepted only if the remoteip stored in the
# remoteip_row is equal to the IP the browser connects from.
CookieAuth_RemoteIPField remoteip_row

# MANDATORY. Tells apache that only valid users are
# allowed. Please refer to the apache manual to get more
# information about possible options for "require".
require valid-user

The following database structure can be used with the configuration file example above.

1
2
3
4
5
6
7
8

CREATE TABLE `site_sessions` (
  `sessname` varchar(32) NOT NULL,
  `sesskey` varchar(32) NOT NULL,
  `expiry` int(11) default '0',
  `remoteip` varchar(15) NOT NULL,
  `username` varchar(32) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Now you have to write an application/script (in a cookie to the browser and stores that cookie information into the database.

That script can be used to verify a username/password combination. The verification is your thing
you can give your fancy full scope how to verify your user.

As an example, if the verification succeeded, you send a cookie to a client which connects from IP

    192.168.861.168

with the cookiename

   "name_vdf54sd56"

and the cookiekey

   "key_uio3b5643v"

and the session shall expire at unix timestamp

   1177503214

a sample database entry line can look like:

INSERT INTO `site_sessions` VALUES ('name_vdf54sd56', 'key_uio3b5643v', 1177503214, '192.168.861.168', 'digithi');

From now on, everytime the client connects to the area which is secured by this module, the cookie with that random
cookie data is transfered between browser and client, but no username/password data. The module compares the
send cookie(s) from the browser with the information stored in the database. If valid information are found in the databse
the client may access the site.