NYCPHP Meetup

NYPHP.org

[nycphp-talk] mod_auth_digest/mysql

Michele Waldman mmwaldman at nyc.rr.com
Thu Feb 5 17:39:25 EST 2009


Guys,

 

The site's going live around 8p.m. using the variation of mod_auth_digest
authenticating against mysql, that I wrote/modified, today.

Pretty exciting.  I didn't disturb its general behavior.  It still behaves
like mod_auth_digest.

And the browsers, well, they still behave like they do too.

I'm only using IE and FF for account access.  You can still view the public
pages on the other browsers.

I sent an email to Opera and I'm sending one to Safari.  Opera doesn't log
in with ajax and Safari doesn't log out.

Anyway, no one ever answered my question.  Am I the first to write
mod_auth_mysql/digest?

In a couple of weeks after my vacation, I'm going to play around with it
some more.  Getting the password from httpd.conf was an issue.

I wanted it working, so I temporarily cut my loses.

I have one pressing htaccess issue.  I'm thinking about joining
webmasterworld.com.  Anyone have a subscription?  Should I pay to use the
forum?

I'm thinking about hacking httpd again.

They have rewritemod -f, is file, -d is directory, but not -n, variable does
not exist.  I'm thinking about adding it.  It looks like a variable not
existing always evaluates to true, so using REMOTE_USER is a problem to test
if the user is logged in.  Unfortunately, even after logout the
authorization contain the realm on backpage.  I couldn't find away for
REMOTE_USER to be always defined even if no one is logged in.  I think it
would be nice like Apache addition.  Shouldn't be too hard to implement.
Check for the flag, see if the variable exists, return true or false.  It
will work nicely with mod_auth_digest.  Keep those pesky login dialogs from
popping up on backpage, hopefully.

 

I want to implement this little tidbit:

RewriteEngine On

RewriteCond %{REMOTE_USER} -n

RewriteRule ^.*$ http://domain/path/logged_out.html [R]

 

This doesn't work when remote_user is not defined.  It seems to always
evaluate to true:

RewriteEngine On

RewriteCond %{REMOTE_USER} !=""

RewriteRule ^.*$ - [S=1]

RewriteRule ^.*$ http:// domain/path/logged_out.html [R]

 

You put the actual logging authtype stuff below this segment.

Once I get it tight and the browsers get on board.  Some folks doing smaller
sized websites may want to check it out.  Ajax is not necessary.  One guy
said it isn't good for login in case if craps out, but it's over a ssl, so
I'm not that worried.  Should I be?  Plus, I put too much freaking work into
the ajax implementation to turn back now.  The reason I went mod_auth_digest
was cause totally hinging on cookies for account security was freaking me
out and I was doing that with mod_auth_basic.  I use php for security mostly
outside the account, but very little inside.  I know more misinformation and
a whole lot of vagueness.

I'm going to turn my websites into Fort Knox, if it kills me.

 

Michele

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090205/1509e9d8/attachment.html>


More information about the talk mailing list