Sample Configuration top

This configuration file comes from a real-world example. It uses expiry and remote IP checking.

  • Add this to your httpd.conf. You can embed it i.e. between <Location> or <Directory> tags:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    # mod_auth_cookie_mysql1/2 module

    # You may chose any name value for AuthType, i.e. "Cookie"
    AuthType Cookie

    # Enable the module
    AuthCookieSql on

    # MANDATORY. Database configuration.
    AuthCookieSql_DBhost localhost
    AuthCookieSql_DBuser dbuser
    AuthCookieSql_DBpassword dbpassword
    AuthCookieSql_DBName sessions


    # MANDATORY. Database table name.
    AuthCookieSql_DBtable site_session

    # MANDATATORY. Database table fields configuration.
    # The following 3 lines are needed. Change their value
    # to the fieldnames of your table.
    AuthCookieSql_SessnameField sessname
    AuthCookieSql_SessvalField sesskey
    AuthCookieSql_UsernameField username


    # OPTIONAL. If you set a cookie name with the following
    # option, only for cookies with that name will be accepted
    # from the browser and are compared with the contents
    # of the database. If you omit this line, all cookies sent
    # by the browser are compared with the cookies stored
    # in the database.
    #AuthCookieSql_CookieName myCookie

    # OPTIONAL. With the following option, you can check the
    # age of the received cookies from the browser. If the time
    # (unix timestamp) stored in the database is older than the
    # actual time on the server this module is running on, the
    # cookie is not accepted. Set the name of the column which
    # contains the expiry information here.
    AuthCookieSql_ExpiryField expiry_row

    # OPTIONAL. You can set the remote IP in the database from
    # where the browser may access the site. The cookie sent by
    # the browser is accepted only if the remoteip stored in the
    # remoteip_row is equal to the IP the browser connects from.
    CookieAuth_RemoteIPField remoteip_row

    # MANDATORY. Tells apache that only valid users are
    # allowed. Please refer to the apache manual to get more
    # information about possible options for "require".
    require valid-user

  • The following database structure can be used with the configuration file example above.

    1
    2
    3
    4
    5
    6
    7
    8
    CREATE TABLE `site_sessions` (
      `sessname` varchar(32) NOT NULL,
      `sesskey` varchar(32) NOT NULL,
      `expiry` int(11) default '0',
      `remoteip` varchar(15) NOT NULL,
      `username` varchar(32) NOT NULL
    ) ENGINE=MyISAM DEFAULT CHARSET=latin1;

  • Now you have to write an application/script (in php, java, perl or whatever you like) which sends
    a cookie to the browser and stores that cookie information into the database.

    That script can be used to verify a username/password combination. The verification is your thing
    you can give your fancy full scope how to verify your user.

    As an example, if the verification succeeded, you send a cookie to a client which connects from IP

        192.168.861.168

    with the cookiename

       "name_vdf54sd56"

    and the cookiekey

       "key_uio3b5643v"

    and the session shall expire at unix timestamp

       1177503214

    a sample database entry line can look like:

    INSERT INTO `site_sessions` VALUES ('name_vdf54sd56', 'key_uio3b5643v', 1177503214, '192.168.861.168', 'digithi');

    From now on, everytime the client connects to the area which is secured by this module, the cookie with that random
    cookie data is transfered between browser and client, but no username/password data. The module compares the
    send cookie(s) from the browser with the information stored in the database. If valid information are found in the databse
    the client may access the site.