#842 auth with cookie

open
nobody
Other (220)
5
2012-10-11
2010-06-01
Anonymous
No

The last days I was thinking about frontend authentication. We cannot use $AllowAccessFromWebToAuthenticatedUsersOnly because we already had a customer backend and I didn't want to change its login to HTTP auth.
What came to my mind was a cookie with a secure hash which the backend sets and awstats compares with the same algorithm. This hash has to be different from config to config because otherwise the customers could look at one anothers statistics, and different from installation to installation because otherwise everyone could just hash the certain string and set the cookie manually. So in the end my idea is this:

Customer Backend

  • Generate SHA1 hash of ($prefix . $domain . $postfix)
  • Set cookie awstatsAuthCookie=$hash; path=dirname($path);
  • Provide link to $path?config=$domain

Awstats

  • Read hash from the cookie
  • Generate an own hash (so the configuration of the backend and awstats has to be the same, of course)
  • Compare both and if not equal throw an error

So I have the following new config variables:

AllowAccessWithCookieOnly=1
AllowAccessWithCookieOnlyPrefix="pr3"
AllowAccessWithCookieOnlyPostfix="po$t"

Any user should modify this affixes because of above-named reasons!

For the code see the attached patch.

greetz
Jonny007

Discussion