mod_auth_cookie_dbm 1.0.2 review

mod_auth_cookie_dbm is a session authentication/expiration using (cryptographically strong) cookies

License: BSD License File size: 7K Developer: Magnus Backstrom Ringman

0

mod_auth_cookie_dbm is a session authentication/expiration using (cryptographically strong) cookies. Cookie-to-username mapping with DBM database.

It was devised as a better replacement for the "Basic" authentication components that ship with Apache.

Classic "Basic" authentication has some downsides:

- Username and password are shipped across the net with every request.
- There is no concept of a "session" (nor encores, such as timeouts and automatic logout)

This module

1. checks requests for a cookie, named in the CookieDBMAuthCookieName configuration directive.

2. If found, the cookie value is looked up in a DBM database, named in the CookieDBMAuthFile directive.
If the lookup fails, a redirect is made to a page specified in the CookieDBMAuthFailureURL directive.

3. The DBM entry is expected to contain a username and optionally an expiry time. Fields are colon-separated, the expiry time is a spelled-out integer (the field gets passed to strtol()) representing the time_t
If valid, the username is taped onto the request, thus "emulating" Basic authentication.
If expired, redirect to the CookieDBMAuthFailureURL.

The CookieDBMAuthFailureURL typically points at a "login page" CGI script. This program, after checking the user's credentials, should make up a cookie value (preferably a long, cryptographically strong random string), enter it in the dbm file, and pass it to the browser. It might also update an AuthUserFile or AuthDBMUserFile database on the fly.

Acknowledgements:

This module was written from scratch, with some inspiration from the mod_auth_cookie_mysql and mod_auth_cookie_pgsql2 modules.

Requirements:
Apache 2.x

What's New in This Release:
Repair the Repair. (fix a missed null termination -- serious.)