Cookie Authentication in Apache

7,178

Sure. I do the same thing.

When a user logs in, I give them a cookie and create a token in /t/tokenid, and put it in a cookie: S=tokenid;PATH=/

Then, I can use RewriteCond to check for the file's existence:

RewriteEngine on
# check for no cookie being set
RewriteCond %{HTTP:Cookie} !S=([a-zA-Z0-9]+)
RewriteRule ^/*protected/ /login.html [L,R]
# check for an invalid cookie being set
RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteCond /t/%1 !-f
RewriteRule ^/*protected/ /login.html [L,R]

Finally, a garbage collector runs periodically and deletes old tokens:

find /t -type f \! -atime +1 -delete

To make the atime automatically update, I have /t mounted without noatime, and I have it web-accessible (but not indexed) and part of the stylesheet references /loggedin.txt which is rewritten as:

RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteRule ^/*loggedin\.txt$ /t/%1 [L]
Share:
7,178

Related videos on Youtube

user19084
Author by

user19084

Updated on September 17, 2022

Comments

  • user19084
    user19084 over 1 year

    I'm trying to set up a reverse proxy in Apache. The user will be required to log in, and will then be sent a cookie. I want Apache to check the cookie. Is there a way to do this?

    EG, right now my config looks like this:

    <VirtualHost *:82>
      # username:password sent on to endpoint
      RequestHeader set Authorization "Basic cm9vdjfjDJaGRvYa=="
    
      ProxyPass /monitors/2/ http://192.168.1.6/foo.cgi
      ProxyPassReverse /monitors/2/ http://192.168.1.6/foo.cgi
    </VirtualHost>
    

    Can I add something in the VirtualHost to restrict access based on a cookie?

  • user19084
    user19084 over 14 years
    I'm not sure if this is universal, but the Ruby CGI library encodes "=" as "%3D", so my RewriteCond looks like this: RewriteCond %{HTTP:Cookie} S%3D([a-zA-Z0-9]+)