#6 Allow comparison to stored cookies

Jerry Stuckle

Use case: A user has visited a site before and has a
cookie stored on his harddrive.

I want to be able to authentiate him through
mod_auth_mysql using that cookie.

The cookie gets sent with the http header and can be
extracted inside the module. The problem is to allow
the user to write sql queries insied .htaccess that
allow him to actually use that cookie info.

The cookie I want to use is pretty simple and looks like

Cookie: PHPSESSID=4d1c818cadc8a321687bba...

I think the easiest way would be to allow the user to
enter a mysql query in freeform mode and let him use
the qualifiers specified in formats[]. Unfortunately my
C is pretty rusty (and was never good to start with...).

Motivation: I am a developer with the Drupal project.
This project currently has a way how to protect
uploaded files from unauthorized access, but it is a
bit clumsy. Of course there could be a php based
solution but I'd prefer an apache module.


I attache a file that contains my inital dabblings in


1 2 > >> (Page 1 of 2)
  • Jerry Stuckle
    Jerry Stuckle

    Logged In: YES

    Thanks for opening this, Gerhard.

    Just allowing a free-form query won't do it - we need a way
    to select the appropriate cookie - there may be several I'm
    still thinking about how to handle this.


  • Jerry Stuckle
    Jerry Stuckle

    • assigned_to: nobody --> jstuckle
  • Jerry Stuckle
    Jerry Stuckle

    Logged In: YES

    Hello, Gerhard,

    I'm looking into this request. I see cookies are indeed
    available at this time, so we can search for them.

    However, I'm unsure what the best way to proceed here is.
    The way the module is set up we still need to validate the
    user id, even if there is no password.

    The existing substitution parameters will validate in
    addition to the user name. Is this what you want?

    Or are you looking to validate with a cookie instead of a
    userid? If so, I'm not sure we can do this - the
    authorization/authentication mechanism in Apache requires
    some kind of user id.

    We could ignore the userid, but this won't help much. In
    the case of an authentication failure, Apache will still
    request authentication information from the broswer (which
    will dispay the logon popup).

    In either case, you'll see one problem. The logon popup
    will not set a cookie, so if anyone goes there without the
    cookie, they will get the logon popup. However, entering a
    userid and password won't get them any further because
    there's no way to set the cookie.

    So I'm looking for some input from you as to how you would
    like this to work.

    Also - the file you tried to upload didn't make it, so I
    can't look at the code you were using as a comparison.


  • Logged In: YES

    Hi Jerry,
    here comes the additional input:

    I want to use mod_auth_mysql to protect files from being
    downloaded by the wrong people. The files will exist in a
    subdirectory and will be uploaded through Drupal
    (www.drupal.org). Mod_auth_mysql will only be needed to
    protect that subdirectory.

    Drupal will set a cookie for each visitor to the site. The
    cookie ID is stored on the user's hard drive and in the
    Drupal database (sessions table). This cookie is stored
    before mod_auth_mysql is called. Mod_auth-mysql will only
    need to read the cookie ID from the apache header.

    By joining the sessions table on the user table we can find
    out the username.

    Additional joins (against a files table for example) will be
    needed. That is, the rest of the header info should also be
    available for writing the mysql queries for mod_auth_mysql.

    I've attached the file again.


  • Jerry Stuckle
    Jerry Stuckle

    Logged In: YES


    We can add cookies, but I don't think it will do what you want.

    When Apache detects access to a protected resource, it sends
    an Authorization Required (401) header to the browser. The
    browser checks its cache, and if no userid/password are
    found, it displays the logon popup. Once the user enters a
    userid/password (or a cached copy can be used), the browser
    resends the request with the authorization information.

    Only at this time does mod_auth_mysql get called. And once
    we are called, we get the userid and password from the
    authentication header, per RFC2617.

    So, you will not be able to get the userid from the session
    cookie; that's too far into the authorization process (and a
    violation of the RFC).

    So, before we go to a lot of work to get cookies working
    (BTW - your file still didn't make it up - don't know what
    the problem is), I'd like to make sure it will do what you
    want. As it is, I don't think it will.

    You could, of course, require both a userid (and optional
    password) and the session cookie for matching in the
    database. But I'm not sure that's what you want.


  • Logged In: YES

    Too bad, I guess we can close this RFE then. If I can't
    avoid that annoying pop up window, the feature is of little
    use to me and I doubt somebody else has a use for it. I
    guess I'll go the PHP road then.


    • status: open --> closed
  • Jerry Stuckle
    Jerry Stuckle

    Logged In: YES


    OK. Sorry it didn't do what you wanted.

    However, I still think it's a good idea, even if it doesn't
    do what you want. We're going to investigate it for some
    future release.


  • Jerry Stuckle
    Jerry Stuckle

    • status: closed --> open
1 2 > >> (Page 1 of 2)