Cookie Authentication in Apache
Sure. I do the same thing.
When a user logs in, I give them a cookie and create a token in /t/
tokenid, and put it in a cookie: S=
tokenid;PATH=/
Then, I can use RewriteCond
to check for the file's existence:
RewriteEngine on
# check for no cookie being set
RewriteCond %{HTTP:Cookie} !S=([a-zA-Z0-9]+)
RewriteRule ^/*protected/ /login.html [L,R]
# check for an invalid cookie being set
RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteCond /t/%1 !-f
RewriteRule ^/*protected/ /login.html [L,R]
Finally, a garbage collector runs periodically and deletes old tokens:
find /t -type f \! -atime +1 -delete
To make the atime automatically update, I have /t
mounted without noatime
, and I have it web-accessible (but not indexed) and part of the stylesheet references /loggedin.txt
which is rewritten as:
RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteRule ^/*loggedin\.txt$ /t/%1 [L]
Related videos on Youtube
user19084
Updated on September 17, 2022Comments
-
user19084 over 1 year
I'm trying to set up a reverse proxy in Apache. The user will be required to log in, and will then be sent a cookie. I want Apache to check the cookie. Is there a way to do this?
EG, right now my config looks like this:
<VirtualHost *:82> # username:password sent on to endpoint RequestHeader set Authorization "Basic cm9vdjfjDJaGRvYa==" ProxyPass /monitors/2/ http://192.168.1.6/foo.cgi ProxyPassReverse /monitors/2/ http://192.168.1.6/foo.cgi </VirtualHost>
Can I add something in the VirtualHost to restrict access based on a cookie?
-
user19084 over 14 yearsI'm not sure if this is universal, but the Ruby CGI library encodes "=" as "%3D", so my RewriteCond looks like this: RewriteCond %{HTTP:Cookie} S%3D([a-zA-Z0-9]+)