Protects web page from non-authenticated request. Created to bridge OpenID/SSO to HTTP Basic Authorization.
tai/mod_auth_cookie-for-lighttpd
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
mod_auth_cookie for lighttpd === NOTE === This module is now renamed to "mod_auth_ticket" and development page has moved to https://github.com/tai/mod-auth-ticket-for-lighttpd You can upgrade to mod_auth_ticket just by renaming directive in lighttpd.conf from "auth-cookie" to "auth-ticket". === What is it? === This is a lighttpd module that 1) controls access to web page by cookie authentication, and 2) maps cookie content into HTTP Basic Authentication header. Initial goal of this module was to map OpenID/SSO mechanism onto HTTP BasicAuth mechanism, so I can move various legacy HTTP-BA based services under the hood of Google Accounts SSO. === How does it work? === This module does not verify user identity, but simply checks if UA has supplied verifiable authorization data in a cookie. Once verified, this module accepts whatever was in that encrypted cookie as user identity. Since embedding plain username/password in a cookie is a big NO-NO, this data is encrypted and signed by its issuer, in many case, external OpenID RP logon page. Typical session works as follows: 1. User tries to access protected page ("Page#1"). 2. mod_auth_cookie checks for a cookie, and finds no verifiable cookie exists. So it redirects UA to external logon page ("Page#2"). 3. At Page#2, the user is guided to OpenID SSO logon, and comes back to Page#2 with verified identity. 4. At Page#2, verified identity is encrypted and signed with shared key between Page#1 and #2, and finally redirected back to Page#1. 5. mod_auth_cookie traps access to Page#1, and examines cookie. Once verified, identity will be cached and random token is generated as a replacement cookie for given identity. 6. mod_auth_cookie overwrites cookie with previously- generated token, so further UA access will not contain identity info. 7. mod_auth_cookie maps identity info to HTTP-BA header, so legacy webapps can recognize user identity. 8. Finally, the user is now allowed to view Page#1. This is a lengthly process, but this trampoline-like flow is needed to map complex OpenID-like authentication onto HTTP-BA mechanism. I first planned to implement mod_auth_openid which provides OpenID RP feature directly, but abandoned as it'd be much flexible to handle it in web application code. This modules provides minimal feature needed by external OpenID RP to inject identity information to HTTP-BA layer. === Configuration === $HTTP["url"] =~ "^/secret/" { auth-cookie.loglevel = 255 # Ignore incoming Authorization: header auth-cookie.override = 2 # Life-duration of generated auth token auth-cookie.timeout = 3600 # Cookie name and option to use auth-cookie.name = "TestAuth" auth-cookie.options = "path=/;" # URL of logon page to redirect to in case of unverified cookie # Redirected URL will have a form of "/login.php?url=original-url" auth-cookie.authurl = "/login.php" # Shared key used to encrypt and sign cookie payload auth-cookie.key = "shared-secret" } === How to encrypt and sign cookie === Following is a sample code for generating verifiable auth cookie using PHP. <?php // check identity if (! check_user($_POST["username"], $POST["password"])) { header("Location: login.php"); exit(0); } // core encryption functionality (basically an XOR) function encrypt($buf, $key, $keylen) { $n = strlen($buf); for ($i = 0; $i < $n; $i++) { $c = ord($buf[$i]); $c ^= ($i > 0 ? ord($buf[$i - 1]) : 0) ^ ord($key[$i % $keylen]); $buf[$i] = chr($c); } return $buf; } # create time-based temporal key for encryption/sign $key = "shared-secret"; $now = time(); $now = $now - $now % 5; $tmp = md5($now . $key, TRUE); # encrypt and sign $plaintext = base64_encode($_POST["username"] . ":dummytext"); $encrypted = bin2hex(encrypt($plaintext, $tmp, strlen($tmp))); $signature = md5($key . $now . $encrypted); $totaldata = "crypt:" . $signature . ":" . $encrypted; # set as cookie, so mod_auth_cookie willl see it in further use setcookie("TestAuth", $totaldata, 0, "/", "", FALSE, TRUE); # redirect back to original protected page header("Location: /protected/page.php"); ?> === TODO/WISHLIST === - Clean up string/buffer handling - Should clean up expired entries to free memory - Introducing "srp:" cookie (encryption with Secure Remote Password) - Allow authinfo injection using URL (for distributed auth) - Add demo in other programming languages - Make it compatible with Apache mod_auth_tkt/mod_auth_pubtkt.
About
Protects web page from non-authenticated request. Created to bridge OpenID/SSO to HTTP Basic Authorization.
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published