credentials results from the CPAN

Apache-AutoLogin

view release on metacpan or search on metacpan

    
    # Test the length of the key. I wonder if this is really necessary,
    # perhaps using md5 keys generated from this one would be better
    
    if (length($encryption_key) % 32 != 0) {
        $log->error("Encryption key must by 256 bits long (32 characters)");
        return SERVER_ERROR;
    }    
    
    # Let's get the authorization headers out of the client's request
    my $credentials='';
    my $user='';
    my $password='';
    
    my $auth_header=$r->headers_in->get('Authorization');
    if (defined $auth_header)
    {
        $credentials =(split / /, $auth_header)[-1];
        ($user, $password) = split /:/, MIME::Base64::decode($credentials),2;
    }
    
    $log->info("header $user from $client_identifier");
    
    # Look for any cookies
    
    my %cookiejar = Apache::Cookie->new($r)->parse;
    
    
    ## If the user has called the predefined logout page,

AutoLogin.pm view on Meta::CPAN

        
        $log->info("Client $client_identifier has no cookie");
    
        setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
        
        # DECLINED zur?ckgeben, damit Apache weitermacht.
        return DECLINED;
    }
    
        
    # Get the credentials out of the cookie
    
    my %auth_cookie=$cookiejar{$auth_name}->value;
    my $decrypted_string=decrypt_aes(decode_base64($auth_cookie{Basic}),$encryption_key);
    my ($c_user,$c_password,$c_client_ip,$c_date)=split (/:/, $decrypted_string , 4);
    
    # Check if the client has furnished any valid information
    
    if ($decrypted_string ne '')
    {
        $log->info("Data from cookie $c_user, $c_date, $c_client_ip");

AutoLogin.pm view on Meta::CPAN

            $log->info("Cookie for $c_user has not been set for $client_identifier but for $c_client_ip");
            setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
            return DECLINED;
        }
    }
    else
    {
        $log->info("Client $client_identifier has furnished an invalid cookie.");
    }
    
    # If the client sent any http authentication credentials lets write them to a cookie
    
    if ($user ne '' && $password ne '') {
        setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
    }
    
    # Else write the credentials within the cookie into the http header
    else {
        # But only if there IS something in the cookie!
        if ($decrypted_string ne '' and $c_user ne '' and $c_password ne '')    {
            my $credentials=MIME::Base64::encode(join(":",$c_user,$c_password));
            $r->headers_in->set(Authorization => "Basic $credentials");
        }
    }
    
    # Return DECLINED
    return DECLINED;
}

## sets the cookie
sub setCookie {

AutoLogin.pm view on Meta::CPAN

    {
        return "";
    }
    ## chop of the random data
    my $char=" ";
    while($char ne ':' and $char ne '')
    {
        $char=chop($decrypted);
    }
    
    ## If char is eq to '' then there were no credentials, etc. in the string...
    if ($char eq '')
    {
        return '';
    }
    
     
    return $decrypted;

}

AutoLogin.pm view on Meta::CPAN

  </Location>



=head1 DESCRIPTION

Apache::AutoLogin is a mod_perl module for convenience of the users. It is NO authentication module so far, authentication is up to other auth basic modules of any flavour.

Apache::AutoLogin does basically the following:

If a client connects for the first time, grab it's request and look for an Apache::AutoLogin cookie. If there is such a cookie, extract the credentials, add them to the http headers for later use by the authentication module. During such a session, t...

If the client sends an authorization header, then one of two things happened: There was no cookie for supplying the credentials or the cookie or the credentials were invalid. Then we basically take the credentials from the client's header and store t...

If a client wants to log out, he / she has to invoke a predefined page of any flavour and we will set in invalid cookie to erase the credentials.

=head2 Who should use it?

Anyone who relies on basic authentication and does not want the users to authenticate everytime they point their browser to the restricted website. Especially useful for company intranets.

=head2 Security aspects

The cookie itself is AES256 encrypted using Crypt::Rjindael and features a md5 checksum of the data. Furthermore, some information about the client the cookie was issued for is stored as well (IP address, user-agent, hostname), which should make it m...

Anyways, although cracking of the cookie is almost unfeasable with todays computing powers, be aware that this module is for convenience only. It does not give you any additional security (well a bit perhaps) over traditional basic authentication, wh...

Although the cookie can be regarded as secure, the security of it's use stands and falls with the security of the computer it is stored on. If your users do not have personal accounts on their computers, forget about using it.


=head1 Apache configuration directives

All directives are passed in PerlSetVar.
        
=head2 AutoLoginCookieLifetimeInDays "3"

( run in 0.233 second using v1.01-cache-2.11-cpan-a5abf4f5562 )