Auth MemCookie
What is "Auth MemCookie"?
"Auth MemCookie" are an Apache v2 authentification and authorization
modules are based on "cookie" authentification mecanism.
The module don't make authentification by it self, but verify
if
authentification "the cookie" are valid for each url
protected by the module. The module validate also if the
"authentificated user" have authorisation to
acces url.
Authentification are made externaly by an authentification form page
and all authentification information nessary to the module a stored in
memcached indentified by the cookie value "authentification session
id" by this login page.
How it Works
Phase 1 : The login Form
Authentification are made by a
login formular page.
This login page must authenticate the user with any
authenticate source
(ldap, /etc/password, file, database....) accessible to langage of the
page (php, perl, java... an ldap login page sample in php are in
samples directory).
Then must set cookie that contain only a key
the "authentification unique id" of the "authentification session".
The login page must store authorisation and user information
of the authenticated user in memcached
identified by the cookie key "authentification unique id".
The
login page can be developted in any langage you want, but must be
capable to use memcached (they must have memcache client api for us)
Phase 2 : The Apache v2 Module
After the user are logged, the apache 2 module check on each protected
page by apache ACL the presence of the "cookie".
if the "cookie" exist, try to get session in memcached
with the "cookie" value if not found return "HTTP_UNAUTHORIZED"
page.
if session exist in memcached
verify if acl match user session information if not match return
"HTTP_FORBIDDEN"
page.
Session format stored in memcached
The session store in memcached are composed with multiple line in forme
of "name"
egual "value"
ended by "\r\n".
some are mandatory, other are
obtional and the reste are information only (all this field are
transmited to the script langage protect the module).
Session format :
UserName=<user name>\r\n
Groups=<groupe name1>:<group name2>:...\r\n
RemoteIP=<remote ip>\r\n
Password=<password>\r\n
Expiration=<expiration time>\r\n
Email=<email>\r\n
Name=<name>\r\n
GivenName=<given name>\r\n
- Username:
are
mandatory.
- Groups:
are
mandatory, are used to check group in apache acl. if no
group are know for the user, must be blank (Groups=\r\n)
- RemoteIP:
are mandatory, used by remote ip check function in apache
module.
- Password:
are not mandatory, and is not recomanded to
store in
memcached for security reson, but if strored, is sended to the
script language protected by the module.
- The other field are information only, but they are sended
to langage
that are behind the module (via environement variable or http header).
The session fields size are for the moment limited to 10 fields by
default.
Build dependency
You must have compiled and installed :
Compilation
You must modify Makefile:
- set correctly the MY_APXS varriable to point to the apache
"apxs" scripts.
- add the memcache library path in MY_LDFLAGS variable if
nessesary (-L<my memcache lib path>)
How to compile:
#make
#make install
After that the "mod_auth_memcookie.so" are genereted in apache
"modules" directory.
How to configure Apache Module
Module configuration option:
This option can be used in "location" or "directory" apache context.
- Auth_memCookie_Memcached_AddrPort
Liste of ip or host
adresse(s) and port ':' separed of memcache(s) daemon to be
used, coma separed.
For exemple:
host1:12000,host2:12000
- Auth_memCookie_Memcached_SessionObject_ExpireTime
Session object stored in
memcached expiry time, in secondes.
Used only if "Auth_memCookie_Memcached_SessionObject_ExpiryReset" is
set to on.
Set to 3600 seconds by default.
- Auth_memCookie_Memcached_SessionObject_ExpiryReset
Set to 'no' to not reset
object expiry time in memcache on each url... set to yes by default
- Auth_memCookie_SessionTableSize
Max number of element in
session information table. set to 10 by default.
- Auth_memCookie_SetSessionHTTPHeader
Set to 'yes' to set
session information to http header of the authenticated users, set to
no by default.
- Auth_memCookie_SetSessionHTTPHeaderEncode
Set to 'yes' to mime64
encode session information to http header, set to no by default.
- Auth_memCookie_CookieName
Name of the cookie to used
for check authentification, set to "AuthMemCookie" by default.
- Auth_memCookie_MatchIP_Mode
Set to '0' to not check IP address set in cookie with the remote browser ip, set to '0' by default. To check cookie ip adresse, Set to '1' to use 'X-Forwarded-For' http header, to '2' to use 'Via' http header, and to '3' to use apache remote_ip.
- Auth_memCookie_GroupAuthoritative
Set to 'no' to allow
access control to be passed along to lower modules, for group acl
check. set to 'yes' by default.
- Auth_memCookie_Authoritative
Set to 'yes' to allow
access control to be passed along to lower modules.Set to 'no' by
default.
- Auth_memCookie_SilmulateAuthBasic
Set to 'no' to not fix http header and auth_type for simulating auth basic for scripting language like php auth framework work (set PHP_AUTH_* $SERVER variable in php and apache REMOTE_USER and AUTH_TYPE vars)., set to 'yes' by default
Sample to configure Apache v2 Module:
Configuration sample for using Auth_memcookie apache V2 module:
LoadModule mod_auth_memcookie_module modules/mod_auth_memcookie.so
<IfModule mod_auth_memcookie.c>
<Location />
Auth_memCookie_CookieName myauthcookie
Auth_memCookie_Memcached_AddrPort 127.0.0.1:11000
# to redirect unauthorized user to the login page
ErrorDocument 401 "/gestionuser/login.php"
# to specify if the module are autoritative in this directory
Auth_memCookie_Authoritative on
# must be set without that the refuse authentification
AuthType Cookie
# must be set (apache mandatory) but not used by the module
AuthName "My Login"
</Location>
</IfModule>
# to protect juste user authentification
<Location "/myprotectedurl">
require valid-user
</Location>
# to protect acces to user in group1
<Location "/myprotectedurlgroup1">
require group group1
</Location>