osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] use cookie value as auth username


For the archives, should someone comes across this, the solution I
found was to use mod_auth_env, which worked to set REMOTE_USER from a
cookie value so AuthzDBDQuery could use that in the query.  From my
previous contrived example, it would look like:

<IfModule mod_setenvif.c>
  SetEnvIf Cookie "PHPSESSID=([^ ;]+)" phpsessid=$1
</IfModule>

<Directory "/whatever/">
  <IfModule mod_auth_env.c>
    AuthType Env
    AuthEnvUser phpsessid
  <
/IfModule>

  <RequireAll>
    Require env phpsessid
    Require dbd-group foo
  </RequireAll>

  # this now works, to set %s from PHPSESSID cookie:
  AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id = %s"

</Directory>



On Mon, 2018-10-01 at 18:10 -0600, Jesse Norell wrote:
> I'm still interested in any ideas to try to set REMOTE_USER from a
> cookie value.
> 
> 
> AuthBasicFake sounds like it would work, but when I use it authz_dbd
> still complains:
> 
>    AH00027: No authentication done but request not allowed without
>    authentication for /whatever/file.txt. Authentication not
>    configured?
> 
> Does that sound like a bug/deficiency in AuthBasicFake?  Ie. it
> appears it didn't 'fake' authentication enough for an authorization
> module to think that it had been configured.
> 
> 
> mod_auth_env looks like it would work, but isn't packaged for debian
> so doesn't work well for my needs (creating a tutorial for users to
> follow after they've installed apache & modules from debian
> packages).
> 
> This patch looks like just the ticket, but isn't included upstream so
> of course the same source/packaging issue as with mod_auth_env:  
>   https://github.com/jkbzh/apache2_mod_authz_dbd
> 
> If I can't find any other way I might have to just use mod_auth_env
> (assuming it will work) and provide instructions for how to build and
> install the .deb file, but I'd sure rather use stock modules.
> 
> Thanks!
> Jesse
> 
> 
> On Tue, 2018-09-25 at 14:54 -0600, Jesse Norell wrote:
> > Hello,
> > 
> >   I'm trying to use an authz_dbd query to authorize based on the
> > value
> > of a cookie (ie. if PHPSESSID cookie is set, a db query can test if
> > it
> > should be authorized).  It seems the only parameter AUTHzDBDQuery
> > will
> > supply to the sql query is the username in place of %s; this could
> > work
> > if I could set what REMOTE_USER should be prior to the query
> > running,
> > but I haven't found a way to do so.  Eg. here the username for the
> > query is from the auth provider (anon), the SetEnv doesn't the
> > query:
> > 
> > <Directory "/whatever/">
> >   AuthName "Name"
> >   AuthType Basic
> >   AuthBasicProvider anon
> > 
> >   Anonymous_NoUserID on
> >   Anonymous_MustGiveEmail off
> >   Anonymous anonymous "*"
> > 
> >   SetEnvIf Cookie "PHPSESSID=([^ ]+)" REMOTE_USER=$1
> > 
> >   Require dbd-group foo
> > 
> >   # this will work, for any username entered in the browser:
> >   #AuthzDBDQuery "SELECT 'foo' FROM sys_session"
> > 
> >   # this does not work to obtain %s from PHPSESSID:
> >   AuthzDBDQuery "SELECT 'foo' FROM sys_session WHERE session_id =
> > %s"
> > 
> > </Directory>
> > 
> >   I'm pretty sure I must convince apache to set a new REMOTE_USER
> > (or
> > httpd_username?) internal variable, not an environment variable,
> > but
> > I
> > don't see how.  If I don't specify any AuthType, or set it to None,
> > the
> > AuthzDBDQuery never runs and the error.log says it requires
> > authentication but authentication is not set up.  Any ideas are
> > appreciated - thanks!
> > 
> >   I'm running 2.4.25-3+deb9u5 from debian stretch.
> > 
> > Thanks,
> > Jesse Norell 
> > 

-- 
Jesse Norell
Kentec Communications, Inc.
970-522-8107  -  www.kci.net


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx