mod_auth_cookie_dbm 1.0.2 review

by on

mod_auth_cookie_dbm is a session authentication/expiration using (cryptographically strong) cookies

License: BSD License
File size: 7K
Developer: Magnus Backstrom Ringman
0 stars award from

mod_auth_cookie_dbm is a session authentication/expiration using (cryptographically strong) cookies. Cookie-to-username mapping with DBM database.

It was devised as a better replacement for the "Basic" authentication components that ship with Apache.

Classic "Basic" authentication has some downsides:

- Username and password are shipped across the net with every request.
- There is no concept of a "session" (nor encores, such as timeouts and automatic logout)

This module

1. checks requests for a cookie, named in the CookieDBMAuthCookieName configuration directive.

2. If found, the cookie value is looked up in a DBM database, named in the CookieDBMAuthFile directive.
If the lookup fails, a redirect is made to a page specified in the CookieDBMAuthFailureURL directive.

3. The DBM entry is expected to contain a username and optionally an expiry time. Fields are colon-separated, the expiry time is a spelled-out integer (the field gets passed to strtol()) representing the time_t
If valid, the username is taped onto the request, thus "emulating" Basic authentication.
If expired, redirect to the CookieDBMAuthFailureURL.

The CookieDBMAuthFailureURL typically points at a "login page" CGI script. This program, after checking the user's credentials, should make up a cookie value (preferably a long, cryptographically strong random string), enter it in the dbm file, and pass it to the browser. It might also update an AuthUserFile or AuthDBMUserFile database on the fly.


This module was written from scratch, with some inspiration from the mod_auth_cookie_mysql and mod_auth_cookie_pgsql2 modules.

Apache 2.x

What's New in This Release:
Repair the Repair. (fix a missed null termination -- serious.)

mod_auth_cookie_dbm 1.0.2 keywords