Cookie Authentication in Apache

security authentication apache-2.2 reverse-proxy cookies

Solution 1:

Sure. I do the same thing.

When a user logs in, I give them a cookie and create a token in /t/tokenid, and put it in a cookie: S=tokenid;PATH=/

Then, I can use RewriteCond to check for the file's existence:

RewriteEngine on
# check for no cookie being set
RewriteCond %{HTTP:Cookie} !S=([a-zA-Z0-9]+)
RewriteRule ^/*protected/ /login.html [L,R]
# check for an invalid cookie being set
RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteCond /t/%1 !-f
RewriteRule ^/*protected/ /login.html [L,R]

Finally, a garbage collector runs periodically and deletes old tokens:

find /t -type f \! -atime +1 -delete

To make the atime automatically update, I have /t mounted without noatime, and I have it web-accessible (but not indexed) and part of the stylesheet references /loggedin.txt which is rewritten as:

RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteRule ^/*loggedin\.txt$ /t/%1 [L]

Related

How can I enable packet forwarding on Windows?
How to boot after RAID failure (software RAID)?
nginx: gzip on server is lost during proxy
Why can Win10 Nodes Check In With WSUS But Not Pull Updates (0x8024401c)
How do I fix a 'Failed to retrieve RMIServer stub' JMX error?
Good/free tool or way to backup drivers
Options for managing Smart Array P400 on an ESXi 5 host
What's the best way of setting up a cron job to check that a long-running process is still going and if not, start it?
iptables allow all outgoing - still can't resolve dns or make a http request
SQL Server database on an external hard disk drive
Don’t have permission to access SQL Server Express 2008?
rsync from one remote to another