#6 Allow comparison to stored cookies
Use case: A user has visited a site before and has a
cookie stored on his harddrive.
I want to be able to authentiate him through
mod_auth_mysql using that cookie.
The cookie gets sent with the http header and can be
extracted inside the module. The problem is to allow
the user to write sql queries insied .htaccess that
allow him to actually use that cookie info.
The cookie I want to use is pretty simple and looks like
Cookie: PHPSESSID=4d1c818cadc8a321687bba...
I think the easiest way would be to allow the user to
enter a mysql query in freeform mode and let him use
the qualifiers specified in formats[]. Unfortunately my
C is pretty rusty (and was never good to start with...).
Motivation: I am a developer with the Drupal project.
This project currently has a way how to protect
uploaded files from unauthorized access, but it is a
bit clumsy. Of course there could be a php based
solution but I'd prefer an apache module.
Cheers,
Gerhard
I attache a file that contains my inital dabblings in
this...
Logged In: YES
user_id=1049703
Thanks for opening this, Gerhard.
Just allowing a free-form query won't do it - we need a way
to select the appropriate cookie - there may be several I'm
still thinking about how to handle this.
Jerry
Logged In: YES
user_id=1049703
Hello, Gerhard,
I'm looking into this request. I see cookies are indeed
available at this time, so we can search for them.
However, I'm unsure what the best way to proceed here is.
The way the module is set up we still need to validate the
user id, even if there is no password.
The existing substitution parameters will validate in
addition to the user name. Is this what you want?
Or are you looking to validate with a cookie instead of a
userid? If so, I'm not sure we can do this - the
authorization/authentication mechanism in Apache requires
some kind of user id.
We could ignore the userid, but this won't help much. In
the case of an authentication failure, Apache will still
request authentication information from the broswer (which
will dispay the logon popup).
In either case, you'll see one problem. The logon popup
will not set a cookie, so if anyone goes there without the
cookie, they will get the logon popup. However, entering a
userid and password won't get them any further because
there's no way to set the cookie.
So I'm looking for some input from you as to how you would
like this to work.
Also - the file you tried to upload didn't make it, so I
can't look at the code you were using as a comparison.
Jerry
Logged In: YES
user_id=32923
Hi Jerry,
here comes the additional input:
I want to use mod_auth_mysql to protect files from being
downloaded by the wrong people. The files will exist in a
subdirectory and will be uploaded through Drupal
(www.drupal.org). Mod_auth_mysql will only be needed to
protect that subdirectory.
Drupal will set a cookie for each visitor to the site. The
cookie ID is stored on the user's hard drive and in the
Drupal database (sessions table). This cookie is stored
before mod_auth_mysql is called. Mod_auth-mysql will only
need to read the cookie ID from the apache header.
By joining the sessions table on the user table we can find
out the username.
Additional joins (against a files table for example) will be
needed. That is, the rest of the header info should also be
available for writing the mysql queries for mod_auth_mysql.
I've attached the file again.
Cheers,
Gerhard
Logged In: YES
user_id=1049703
Gerhard,
We can add cookies, but I don't think it will do what you want.
When Apache detects access to a protected resource, it sends
an Authorization Required (401) header to the browser. The
browser checks its cache, and if no userid/password are
found, it displays the logon popup. Once the user enters a
userid/password (or a cached copy can be used), the browser
resends the request with the authorization information.
Only at this time does mod_auth_mysql get called. And once
we are called, we get the userid and password from the
authentication header, per RFC2617.
So, you will not be able to get the userid from the session
cookie; that's too far into the authorization process (and a
violation of the RFC).
So, before we go to a lot of work to get cookies working
(BTW - your file still didn't make it up - don't know what
the problem is), I'd like to make sure it will do what you
want. As it is, I don't think it will.
You could, of course, require both a userid (and optional
password) and the session cookie for matching in the
database. But I'm not sure that's what you want.
Jerry
Logged In: YES
user_id=32923
Too bad, I guess we can close this RFE then. If I can't
avoid that annoying pop up window, the feature is of little
use to me and I doubt somebody else has a use for it. I
guess I'll go the PHP road then.
Cheers,
Gerhard
Logged In: YES
user_id=1049703
Gerhard,
OK. Sorry it didn't do what you wanted.
However, I still think it's a good idea, even if it doesn't
do what you want. We're going to investigate it for some
future release.
Jerry
Logged In: YES
user_id=32923
Apparently, all hope is not completely lost:
http://csce.uark.edu/~ajarthu/mod_auth_form/
Let's re-open this. ;)
Cheers,
Gerhard
Logged In: YES
user_id=1049703
Hi, Gerhard,
I have no problems reopening this - in fact, I thought about
doing so earlier because I still think it's a good idea.
It looks like mod_auth_form might do what you want without
any help from mod_auth_mysql. I haven't looked at the code
in detail, but a quick glance makes it seem like it's
bypassing the normal Apache authentication mechanism. This
is different than in mod_auth_mysql, where work directly
within the authentication frameworks of Apache.
But I have reopened it, and looking to add this into the
release after next (2.91 is almost ready to go out).
Jerry
Logged In: YES
user_id=1049703
We have added some code for testing against cookies, but
would like some testers. Anyone who is interested in
testing should contact me via email at my SourceForge address.
Jerry