view release on metacpan or  search on metacpan

AutoLogin.pm  view on Meta::CPAN

    # perhaps using md5 keys generated from this one would be better
    
    if (length($encryption_key) % 32 != 0) {
        $log->error("Encryption key must by 256 bits long (32 characters)");
        return SERVER_ERROR;
    }    
    
    # Let's get the authorization headers out of the client's request
    my $credentials='';
    my $user='';
    my $password='';
    
    my $auth_header=$r->headers_in->get('Authorization');
    if (defined $auth_header)
    {
        $credentials =(split / /, $auth_header)[-1];
        ($user, $password) = split /:/, MIME::Base64::decode($credentials),2;
    }
    
    $log->info("header $user from $client_identifier");
    
    # Look for any cookies
    
    my %cookiejar = Apache::Cookie->new($r)->parse;
    
    
    ## If the user has called the predefined logout page,

AutoLogin.pm  view on Meta::CPAN

        $r->uri($logout_uri);
        return OK;
    }
    
    # If there is no cookie at all, generate one
    
    unless ($cookiejar{$auth_name}) {
        
        $log->info("Client $client_identifier has no cookie");
    
        setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
        
        # DECLINED zur?ckgeben, damit Apache weitermacht.
        return DECLINED;
    }
    
        
    # Get the credentials out of the cookie
    
    my %auth_cookie=$cookiejar{$auth_name}->value;
    my $decrypted_string=decrypt_aes(decode_base64($auth_cookie{Basic}),$encryption_key);
    my ($c_user,$c_password,$c_client_ip,$c_date)=split (/:/, $decrypted_string , 4);
    
    # Check if the client has furnished any valid information
    
    if ($decrypted_string ne '')
    {
        $log->info("Data from cookie $c_user, $c_date, $c_client_ip");
        
        ## Some checks on the validity of the cookie
        
        # Check if the cookie hasn't expired
        
        if (time()>$c_date)
        {
            $log->info("Cookie has expired");
            setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
            return DECLINED;
        }
        
        # Check if the cookie comes from the host it was issued to
        
        if ($client_identifier ne $c_client_ip)
        {
            $log->info("Cookie for $c_user has not been set for $client_identifier but for $c_client_ip");
            setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
            return DECLINED;
        }
    }
    else
    {
        $log->info("Client $client_identifier has furnished an invalid cookie.");
    }
    
    # If the client sent any http authentication credentials lets write them to a cookie
    
    if ($user ne '' && $password ne '') {
        setCookie($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key);
    }
    
    # Else write the credentials within the cookie into the http header
    else {
        # But only if there IS something in the cookie!
        if ($decrypted_string ne '' and $c_user ne '' and $c_password ne '')    {
            my $credentials=MIME::Base64::encode(join(":",$c_user,$c_password));
            $r->headers_in->set(Authorization => "Basic $credentials");
        }
    }
    
    # Return DECLINED
    return DECLINED;
}

## sets the cookie
sub setCookie {
    
    my ($r,$user,$password,$client_identifier,$cookie_lifetime,$encryption_key)=@_;
    my $auth_name=$r->dir_config('AutoLoginAuthName');
    my $log=$r->server->log;

    my $auth_cookie = Apache::Cookie->new ($r,
                                       -name => $auth_name,
                                       -value => {Basic => encode_base64(encrypt_aes(join (":",$user,$password,$client_identifier,(time()+60*60*24*$cookie_lifetime)),$encryption_key))},
                                       -path => "/",
                                       -expires => "+".$cookie_lifetime."d"
                                      );
    $auth_cookie->bake;
       
}

sub encrypt_aes {

    my ($string, $key)=@_;

AutoLogin.pm  view on Meta::CPAN

If a client wants to log out, he / she has to invoke a predefined page of any flavour and we will set in invalid cookie to erase the credentials.

=head2 Who should use it?

Anyone who relies on basic authentication and does not want the users to authenticate everytime they point their browser to the restricted website. Especially useful for company intranets.

=head2 Security aspects

The cookie itself is AES256 encrypted using Crypt::Rjindael and features a md5 checksum of the data. Furthermore, some information about the client the cookie was issued for is stored as well (IP address, user-agent, hostname), which should make it m...

Anyways, although cracking of the cookie is almost unfeasable with todays computing powers, be aware that this module is for convenience only. It does not give you any additional security (well a bit perhaps) over traditional basic authentication, wh...

Although the cookie can be regarded as secure, the security of it's use stands and falls with the security of the computer it is stored on. If your users do not have personal accounts on their computers, forget about using it.


=head1 Apache configuration directives

All directives are passed in PerlSetVar.
        
=head2 AutoLoginCookieLifetimeInDays "3"