Re: [users@httpd] use cookie value as auth username
I'm still interested in any ideas to try to set REMOTE_USER from a
AuthBasicFake sounds like it would work, but when I use it authz_dbd
AH00027: No authentication done but request not allowed without
authentication for /whatever/file.txt. Authentication not
Does that sound like a bug/deficiency in AuthBasicFake? Ie. it appears
it didn't 'fake' authentication enough for an authorization module to
think that it had been configured.
mod_auth_env looks like it would work, but isn't packaged for debian so
doesn't work well for my needs (creating a tutorial for users to follow
after they've installed apache & modules from debian packages).
This patch looks like just the ticket, but isn't included upstream so
of course the same source/packaging issue as with mod_auth_env:
If I can't find any other way I might have to just use mod_auth_env
(assuming it will work) and provide instructions for how to build and
install the .deb file, but I'd sure rather use stock modules.
On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> I'm trying to use an authz_dbd query to authorize based on the
> of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> should be authorized). It seems the only parameter AUTHzDBDQuery
> supply to the sql query is the username in place of %s; this could
> if I could set what REMOTE_USER should be prior to the query running,
> but I haven't found a way to do so. Eg. here the username for the
> query is from the auth provider (anon), the SetEnv doesn't the query:
> <Directory "/whatever/">
> AuthName "Name"
> AuthType Basic
> AuthBasicProvider anon
> Anonymous_NoUserID on
> Anonymous_MustGiveEmail off
> Anonymous anonymous "*"
> SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> Require dbd-group foo
> # this will work, for any username entered in the browser:
> #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> # this does not work to obtain %s from PHPSESSID:
> AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"
> I'm pretty sure I must convince apache to set a new REMOTE_USER (or
> httpd_username?) internal variable, not an environment variable, but
> don't see how. If I don't specify any AuthType, or set it to None,
> AuthzDBDQuery never runs and the error.log says it requires
> authentication but authentication is not set up. Any ideas are
> appreciated - thanks!
> I'm running 2.4.25-3+deb9u5 from debian stretch.
> Jesse Norell
Kentec Communications, Inc.
970-522-8107 - www.kci.net
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx