beyond basic authentication

Hi,

In apache documentation I only see references to "basic
authentication" be it with hashing or with a dbm file.

In windows asp.net also mentioned is a "forms-based authentication",
which I believe can also be implemented on apache. Is there a
walkthrough guide for anything beyond basic authentication on apache?

For example, how could I serve content based on username, how could I
send passwords in encrypted form? How could I make use of signed
cookies, maintain a session with the same user, etc. Any books to
cover such web development recipes using apache? Preferably using
mod_python?

Thanks,
Bahadir
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: beyond basic authentication

Quoth Bahadir Balban at 12/30/2006 08:16 AM...

> For example, how could I serve content based on username, how could I
> send passwords in encrypted form? How could I make use of signed
> cookies, maintain a session with the same user, etc. Any books to
> cover such web development recipes using apache? Preferably using
> mod_python?

All you need to do is to maintain state, either by using cookies
(easiest) or by getting your software to maintain persistent variables
through the query string (messy).

As this is the modssl list, I am assuming that you are doing this
through an SSL connection. Passwords, therefore, would be encrypted
along with the rest of the data.

So, you send the encrypted user name and password and - if OK - set a
cookie that contains the user name and a hash (MD5,SHA1,etc) of the user
name and a secret string provided by the server. (Or just the user name
and a hash of the user name and password that can be checked every time
you change page.)

You would need to either a) know that your clients can all accept
cookies, such as in an intranet situation, b) have a fall-back mechanism
to work when cookies are not available or c) disclaim that your system
will not work without cookies. You may be able to get away with this,
but check up on your local accessibility laws (if any).

One thing to always bear in mind is that - except in an intranet
situation - you cannot assume anything of the user agent. If you do
anything clever using JavaScript, say to create a name/password hash
client-side, always provide a means of fallback in case the method
(JavaScript, etc), is not available.

So, you don't really need to involve Apache in the equation, as your
scripted solution (mod_python, etc) can take care of this. PHP is
rather clever in this respect in that it can look after session
variables [to preserve state] for you. I have written similar
mechanisms in Perl, but prefer the PHP solution as it is easier.

At the end of the day, personally, I use basic authentication + SSL for
all my applications. The only disadvantage is the restriction of one
SSL virtual host per IP address/port.

Hope this gives you some ideas.

Cheers

M

--
Matthew Smith
IT Consultancy & Web Application Development
Business: http://www.kbc.net.au/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org