view release on metacpan or  search on metacpan

FAQ  view on Meta::CPAN

Q: I am using multiple authentication methods, and the credentials passed into
   the login form seem to be going to the wrong places... help!
A: The order of credentials (and how they are checked) is defined by their
   order inside the AuthMethods setting for your auth name.  The first
   authentication method in the list will be the first to be checked, and
   will get the value sent to the credential_1 value in the login form,
   login.html.

   In most cases, you will want your strongest (or any dynamic/token based)
   authentication checked first.  Set that to credential_1 and put it first
   in the AuthMethods list.  You want your weakest, (easiest guessed or most
   static), authentication method checked last, so put it in the last
   credential_ value in your login.html form and last in the AuthMethods list.

Q: But I want the order of credential entry boxes to be different on 
   the login form...
A: Then move them around in the HTML.  The HTML order does not matter, just
   the credential_X value assigned to an input. (X being the number)

Q: I am using files for session storage and locking.  How can I cleanup all
   those stale session files?

lib/Apache/AppSamurai.pm  view on Meta::CPAN

# Synatax:
#
#    TYPE:NAME
#
# TYPE - Type of item (header or arg) to pull in
# NAME - Name of header or argument to pull in
#
# The name match is case insensitive, but strict:  Only the exact names
# will be used to ensure a consistent key text source.  MAKE SURE TO USE
# PER-CLIENT UNIQUE VALUES!  The less random the key text source is, the
# easier it can be guessed/hacked. (Once again: Do not use the custom
# key text source feature if you can avoid it!)
sub FetchKeysource {
    my ($self, $r) = @_;
    my $auth_name = ($r->auth_name()) || (die("FetchKeysource(): No auth name defined!\n"));
    my @srcs = $r->dir_config->get("${auth_name}Keysource");
 
    # Return empty, which session key creators MUST interpret as a request
    # for a fully randomized key
    return '' unless (scalar @srcs);

lib/Apache/AppSamurai/Util.pm  view on Meta::CPAN

log. This is still 128 bits of digest, and in most cases would be enough not
to seriously endanger the data.
 
On the other hand, if you allow long passwords and you log a basic
authentication "Authorization:" header of:
"cm9nZXJ0aGVtYW46VGhlIHF1aWNrIGJyb3duIGZveCBqdW1wZWQgb3ZlciB0aGUgbGF6eSBkb2cu"
the output would be:
"cm9nZXJ0aGVtYW46VGhlIHF1aWNrIGJyb3duIGXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX".
This is not very safe.  Here is what decoding produces:
"rogertheman:The quick brown e×]u×]u×]u×]u×]u×]u×]u×]u×]u×"
So, the user's name is "rogertheman".  More importantly, we can guess what
the rest of the password is, and we know the length of the password.

Apache::AppSamurai does log the Authorization: header using XHalf when
Debug is enabled.  Be very careful when running production servers!  Only
use Debug when absolutely needed, monitor the logs for sensitive information
leak, and remove debug log data when possible.

That said, leave Debug set to 0 and do not use XHalf in any modules you
code if you find it too risky.