Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
mod_authn_tkt for Lighttpd


mod_authn_tkt provides secure cookie-based authentication for Lighttpd.
It is a port of Apache module of the same name.

Basically it works as follows:
1) User tries to access a restricted URI
2) mod_authn_tkt checks if the request contains a valid ticket in a cookie
   with predetermined name. If not, module redirects the user to login URI
   setting reference to the original page via URI parameter or another cookie
3) At the login URI the user is authenticated and is given a ticket (a cookie
   is set)
4) Original page can be accessed as long as ticket is valid and not expired
5) Valid ticket is periodically refreshed on subsequent requests of protected

More information may be found at the homepage of the original Apache module:


auth.method.tkt.opts = ( <options> )
	all options are collected into a single directive to attempt to
	keep auth site config and policy together.  mod_auth auth.require
	directive is used to set the authorized users config and to employ


"secret" - string, required
	secret component of MD5 hash

"secret-old" - string, optional
	(previous) secret component of MD5 hash

"login-url" - string, required
	unauthorized requests are redirected to this URI

"timeout-url" - string, default="login-url"
	requests that send tickets with timestamp older than specified in
	"timeout" are redirected to this URI

"post-timeout-url" - string, default="timeout_url"
	requests that send tickets with timestamp older than specified in
	"timeout" via POST are redirected to this URI

"unauth-url" - string, default="login_url"
	requests that send tickets without required tokens are redirected
	to this URI

"timeout" - string, default=7200
	period of time before ticket is considered expired (not the same
	as cookie expiration - it is protected by MD5 hash).
	Last char of the string may be one of:
	m, h, d, w, M, y
	to specify minutes, hours, days, weeks, months and years respectively.
	With no char the setting is treated to be in seconds.

"timeout-refresh" - float, default=0
	From documentation of mod_auth_tkt for Apache:
	"A number between 0 and 1 indicating whether and how to refresh ticket
	timestamps. 0 means never refresh (hard timeouts). 1 means refresh
	tickets every time. .33 (for example) means refresh if less than .33
	of the timeout period remains."

"digest-type" - string, default="MD5"
	Digest used in cookie.
	"SHA256" or "SHA512" available if module linked with openssl libcrypto

"ignore-ip" - boolean, default=disable
	If set, client's IP is included in ticket.

"require-ssl" - boolean, default=disable
	If set, ignore tickets that are sent over clear HTTP

"cookie-secure" - boolean, default=disable
	Whether to set 'Secure' flag on ticket cookies
	(default=enabled when "require-ssl" is enabled)

"cookie-name" - string, default="auth_tkt"
	ticket is set as a cookie with this name

"cookie-domain" - string, default=<value of option>
	'Domain' field of the ticket cookie

"cookie-expires" - string, default=0
	'Expires' field of the ticket cookie. Format is the same as

"back-cookie-name" - string, optional
	If set, cookie with this name is used instead of GET parameter,
	to remember the requested page

"back-arg-name" - string, default=back
	From documentation of mod_auth_tkt for Apache:
	"will add a GET parameter to all redirect URLs containing a URI-escaped
	version of the current requested page e.g. if the requested page is and "back-arg-name" is set to
	'back', mod_auth_tkt will add a parameter like:

	to the "login-url" it redirects to, allowing your login script
	to redirect back to the requested page upon successful login."

"guest-user" - string, default="guest"
	guest username
	If string contains %U or %<digits>U, then that will be substituted
	in guest username string with random hex chars (1 - 32 hex chars)

"guest-login" - boolean, default=disable
	permit guest login (if cookie is invalid or missing)

"guest-cookie" - boolean, default=disable
	create cookie for guestnot supported yet

"guest-fallback" - boolean, default=disable
	fallback to guest login if cookie expired

"tokens" - list, default=(), optional
	List of URL-path prefixes and additional required authorization tokens
	If a URL-path matches a prefix and target list of string is not empty,
	then user is allowed to access resource only if his/her ticket has
	any of the specified tokens.

server.modules  = (

# (sample mod_authn_tkt config)
auth.method.tkt.opts = (
    "secret" = "longlonglongsecretkey"
    "secret-old" = "previously-rotated-longlonglongsecretkey"
    "login-url" = ""
    "timeout-url" = " "
    "post-timeout-url" = ""
    "unauth-url" = ""
    "timeout" = "20m"
    "timeout-refresh" = ".25"
    "digest-type" = "MD5"  # "MD5", "SHA256", or "SHA512"
    "ignore-ip" = "disable"
    "require-ssl" = "enable"
    "cookie-secure" = "enable"
    "cookie-name" = "auth_tkt"
    "cookie-domain" = ""
    "cookie-expires" = "20m"
    "back-arg-name" = "back"
    "back-cookie-name" = "auth_tkt_back"
    "guest-user" = "guest-%16U"
    "guest-login" = "disable"
    "guest-cookie" = "disable"
    "guest-fallback" = "disable"
    "tokens" = ("/protected-folder/protected.txt" => ("token1", "admin"),
                "/download/"                      => ("downloader")
                "/server-info"                    => ("admin")

# (sample mod_auth config to use mod_authn_tkt.  Note: "method" => "authn_tkt")
auth.require = ( "/download/" =>
                   "method"  => "authn_tkt",
                   "realm"   => "ignored-for-authn-tkt", # must be non-empty
                   "require" => "user=agent007|user=agent008"
                 "/server-info" =>
                   # limit access to valid user with "admin" token (above)
                   "method"  => "authn_tkt",
                   "realm"   => "ignored-for-authn-tkt", # must be non-empty
                   "require" => "valid-user"
                 "/protected-folder/" =>
                   # limit access to valid user
                   # additionally require tokens for protected.txt (above)
                   "method"  => "authn_tkt",
                   "realm"   => "ignored-for-authn-tkt", # must be non-empty
                   "require" => "valid-user"


- tests


No description, website, or topics provided.






No releases published


No packages published