This is a discussion on Re: beyond basic authentication - modssl ; Quoth Bahadir Balban at 12/30/2006 08:16 AM... > For example, how could I serve content based on username, how could I > send passwords in encrypted form? How could I make use of signed > cookies, maintain a session with ...
Quoth Bahadir Balban at 12/30/2006 08:16 AM...
> For example, how could I serve content based on username, how could I
> send passwords in encrypted form? How could I make use of signed
> cookies, maintain a session with the same user, etc. Any books to
> cover such web development recipes using apache? Preferably using
All you need to do is to maintain state, either by using cookies
(easiest) or by getting your software to maintain persistent variables
through the query string (messy).
As this is the modssl list, I am assuming that you are doing this
through an SSL connection. Passwords, therefore, would be encrypted
along with the rest of the data.
So, you send the encrypted user name and password and - if OK - set a
cookie that contains the user name and a hash (MD5,SHA1,etc) of the user
name and a secret string provided by the server. (Or just the user name
and a hash of the user name and password that can be checked every time
you change page.)
You would need to either a) know that your clients can all accept
cookies, such as in an intranet situation, b) have a fall-back mechanism
to work when cookies are not available or c) disclaim that your system
will not work without cookies. You may be able to get away with this,
but check up on your local accessibility laws (if any).
One thing to always bear in mind is that - except in an intranet
situation - you cannot assume anything of the user agent. If you do
client-side, always provide a means of fallback in case the method
So, you don't really need to involve Apache in the equation, as your
scripted solution (mod_python, etc) can take care of this. PHP is
rather clever in this respect in that it can look after session
variables [to preserve state] for you. I have written similar
mechanisms in Perl, but prefer the PHP solution as it is easier.
At the end of the day, personally, I use basic authentication + SSL for
all my applications. The only disadvantage is the restriction of one
SSL virtual host per IP address/port.
Hope this gives you some ideas.
IT Consultancy & Web Application Development
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com