Auth MemCookie
is an Apache v2 Authentication and authorization modules are based on cookie
Authentication mechanism.
The module doesn’t make Authentication by it self, but verify if Authentication the cookie
is valid for each url protected by the module. The module validate also if the authenticated user
have authorization to access url.
Authentication
is made externally by an Authentication html form page
and all Authentication information necessary to the module a stored in memcached
identified by the cookie value Authentication session id
by this login page.
Authentication
is made by a login form page.
This login page must authenticate
the user
with any authenticate source
(ldap, /etc/password, file, database....) accessible to language
of the page
(php, perl, java... an ldap login page sample in php are in samples directory).
Then this page must set cookie
that contains only a key the Authentication unique id
of the Authentication session
.
The login page must store
authorization and user information of the authenticated user in memcached
identified by the cookie key Authentication unique id
.
The login page
can be developed in any language you want
, but must be capable to use memcached
(they must have memcache client api for us)
After the user is logged, the Auth MemCookie module check on each protected page by apache ACL is the user is authenticated.
When authenticating a request Auth MemCookie module walks through the following steps:
-
Get the
session id
. Thesession id
is stored in a cookie (by default namedAuthMemCookie
). -
Get the
session data
. Auth MemCookie module fetchessession data
by looking up the session id on the memcached server. -
Verify the
remote ip
. Auth MemCookie module checks the ip address stored in thesession data
against the ip address of the current request. This step is optional, and can be disabled by setting theAuth_memCookie_MatchIP
option to no. -
Get username and groups from
session data
. The username is stored in theUserName
field in thesession data
and the groups the user is a member of is stored in the Groups field. -
Check username and groups against
Require
configuration directives.
If any of the steps 1-4 fails, then Auth MemCookie will return a HTTP_UNAUTHORIZED
(401) Authorization Required error. A HTTP_FORBIDDEN
(403) Forbidden error will be returned if the last step fails.
When a user is successfully authenticated, Auth MemCookie will store all the fields from the session data
in environment variables accessible to the web page. Every field of the session data
will be send http header MCAC_<field-name>
to the value of the field.
The session data
stored in memcached are composed with multiple line in form of name
equal value
ended by \r\n
. some are mandatory, other are optional and the rest are information only (all this field are transmitted to the script language protect the module).
Session data
format:
UserName=<user name>\r\n
Groups=<group name1>:<group name2>:...\r\n
RemoteIP=<remote ip>\r\n
Password=<password>\r\n
Expiration=<expiration time>\r\n
Email=<email>\r\n
Name=<name>\r\n
GivenName=<given name>\r\n
- Username: are mandatory.
- Groups: are mandatory, are used to check group in apache acl. if no group are know for the user, must be blank (Groups=\r\n)
- RemoteIP: are mandatory, used by remote ip check function in apache module.
- Password: are not mandatory, and is not recommended to store in memcached for security reson, but if stored, is sent to the script language protected by the module.
- The other fields are information only, but they are sent to the langage that are behind the module (via environement variable or http header).
The session field size is for the moment limited to 10 fields by default.
You must have compiled and installed:
-
Apache HTTPD Apache HTTPD server (Requires v2.0+).
-
memcached the cache daemon it self.
-
libmemcached the C client API needed to compile the Apache Module (require v1.0+).
-
autoconf the gnu autotool to rebuild configure script from
autoconf.ac
and m4 files.
# autoconf -f
# ./configure --with-apxs=/path/to/apache/httpd/bin/apxs --with-libmemcached=/path/to/libmemcached_install_dir/
# make
# make install
-
where --with-libmemcached is the installation directory of libmemcached (require v1.0+) library.
Generaly with libmemcached os package you need simply to specify --with-libmemcached=/usr. They require generaly to install libmemcached developper package.
- debian version wheezy, jessie, stretch, buster, sid have v1.0 packaged.
- centos/rhel you need v7 to have libmemcached v1.0 packaged
- fedora v25+ have v1.0 packaged
- ubuntu trusty, xenial, yakkety, zesty, artful have v1.0 packaged.
-
where --with-apxs= is the path of apache apxs2 build script (require apache v2.0+).
Generaly with apache httpd os package you simply need to specify --with-apxs=/usr/bin/apxs or --with-apxs=/usr/sbin/apxs (the default path depend on the distribution, you can find it with
type apxs
shell command). They require generaly to install apache developper package.
After that the mod_auth_memcookie.so
is generated in apache modules
installation directory.
This option can be used in location
or directory
apache context.
-
Auth_memCookie_Memcached_Configuration
This configuration directive permit to configure libmemcached initialisation. The syntax of this directive value are defined her: http://docs.libmemcached.org/libmemcached_configuration.html
With that directive you can specify a liste of ip or host adresse(s) and port
:
separed of memcache(s) daemon to be used.For exemple:
Auth_memCookie_Memcached_Configuration "--SERVER=host10.example.com:port1 --SERVER=host11.example.com:port2 --SERVER=host10.example.com:port3"
To use consistant distribution of hash on multiple memcached server add
--DISTRIBUTION=consistent
and for replication--NUMBER-OF-REPLICAS=2
. But your login page must use the same algorithm than libmemcached library that by default use the ketama distribution algorithm with md5 hash.For example with php you can use PECL Memcached extension that are also based on libmemcached library that support the same consistant distribution algorithm before add server list.
Sample:
$memcached=new Memcached(); $memcached->setOption( Memcached::OPT_DISTRIBUTION,Memcached::DISTRIBUTION_CONSISTENT);
-
Auth_memCookie_Memcached_SessionObject_ExpireTime
Session object stored in memcached expiry time, in secondes.
Used only if
Auth_memCookie_Memcached_SessionObject_ExpiryReset
is set toon
.Set to 3600 seconds by default.
-
Auth_memCookie_Memcached_SessionObject_ExpiryReset
Set to
off
to not reset object expiry time in memcache on each url, is set toon
by default.By default on each request authenticated by the module, the object expiry in memcached of the
session data
are reset to make expiry base on inactivity, if set tooff
the expiry are based on session time length. -
Auth_memCookie_SessionTableSize
Max number of element in session information table, is set to 10 by default.
-
Auth_memCookie_SetSessionHTTPHeader
Set to
on
to set session information to http header of the authenticated users, is set tooff
by default. Each session field are sended to backend. Each session field name are prefixed byAuth_memCookie_SetSessionHTTPHeaderPrefix
changed to uppercase. -
Auth_memCookie_SetSessionHTTPHeaderEncode
Set to
on
to mime64 encode session information to http header, is set tooff
by default. -
Auth_memCookie_SetSessionHTTPHeaderPrefix
Set HTTP header prefix, is set to
MCAC_
by default. -
Auth_memCookie_CookieName
Name of the cookie to used for check authentification, is set to
AuthMemCookie
by default. -
Auth_memCookie_MatchIP_Mode
To check cookie ip adresse, Set to
1
to useX-Forwarded-For
http header, to2
to useVia
http header, and to3
to use apacheremote_ip
, is set to0
by default to desactivate the ip check. -
Auth_memCookie_GroupAuthoritative (only on apache <2.4)
Set to
off
to allow access control to be passed along to lower modules, for group acl check, is set toon
by default. -
Auth_memCookie_Authoritative
Set to
off
to allow access control to be passed along to lower modules, is set toon
by default. -
Auth_memCookie_SilmulateAuthBasic
Set to
off
to not fixhttp header
andauth_type
for simulatingauth basic
for scripting language likephp
authentication framework work, is set toon
by default.with this option this $_SERVER variable are normaly set on php:
AUTH_TYPE = "basic" PHP_AUTH_USER = "user" PHP_AUTH_PW = "password"
-
Auth_memCookie_DisableNoStore
Set to
on
to stop the sending of aCache-Control
header set tono-store
with the login screen. This allows the browser to cache the credentials, but at the risk of it being possible for the login form to be resubmitted and revealed to the backend server through XSS. Use at own risk. -
Auth_memCookie_SASLAuth
Set to
on
to enable SASL authentication. If this is set,Auth_memCookie_SASLUsername
andAuth_memcookie_SASLPassword
should also be set. Defaults tooff
. -
Auth_memCookie_SASLUsername
Username to use when authenticating to memcached if
Auth_memCookie_SASLAuth
ison
. Defaults touser
. -
Auth_memCookie_SASLPassword
Password to use when authenticating to memcached if
Auth_memCookie_SASLAuth
ison
. Defaults topass
.
The application recieve this information:
REMOTE_USER
are set to the user logged nameAUTHMEMCOOKIE_PREFIX
are set to value ofAuth_memCookie_SetSessionHTTPHeaderPrefix
AUTHMEMCOOKIE_AUTH
are set toyes
when protected,no
when in public zone.
And all session field (prefixed by Auth_memCookie_SetSessionHTTPHeaderPrefix
/AUTHMEMCOOKIE_PREFIX
) if Auth_memCookie_SetSessionHTTPHeader
is on
.
And if Auth_memCookie_SilmulateAuthBasic
is set, they recieve also this $_SERVER
variable :
AUTH_TYPE = "basic"
PHP_AUTH_USER = "user"
PHP_AUTH_PW = "password"
Apache 2.3/2.4 authn/authz model
The module add some Require
/authz
provider:
-
Require mcac-group
To limit access to groups specified in session (
groups
session field) by the login script. Use the same syntax thanRequire group
. ButRequire group
on apache 2.3/2.4 work only with mod_authz_groupfile.They also support multiple groups like that:
Require mcac-group group1 group2 group3
If one match on group of the
groups
session field they are granted. -
Require mcac-public
They make possible to specify public access zone.
In that zone authenticated or not are granted but authenticated can send session information to backend depend on
Auth_memCookie_SetSessionHTTPHeader
flag.<Location /publiczone> Require mcac-public </Location>
-
Require valid-user and Require user
All the two a provided by mod_authz_user core apache module.
Configuration sample for using Auth_memcookie apache V2.4 module:
LoadModule mod_auth_memcookie_module modules/mod_auth_memcookie.so
<IfModule mod_auth_memcookie.c>
<Location />
Auth_memCookie_CookieName myauthcookie
Auth_memCookie_Memcached_Configuration --SERVER=127.0.0.1:11000
# to redirect unauthorized user to the login page
ErrorDocument 401 "/gestionuser/login.php"
# to specify if the module are autoritative in this directory
Auth_memCookie_Authoritative on
# must be set without that the refuse authentification
AuthType Cookie
# must be set (apache mandatory) but not used by the module
AuthName "My Login"
require mcac-public
</Location>
</IfModule>
# to protect juste user authentification
<Location "/myprotectedurl">
require valid-user
</Location>
# to protect acces to user in group1
<Location "/myprotectedurlgroup1">
require mcac-group group1
</Location>
Apache 2.0/2.2 authn/authz model
-
Require group groupname [groupname]...
Only users with the specified groups can access the resource.
-
Require valid-user
Any valid user can access the resource.
-
Require user user_id [user_id]...
Only specified users can access the resource.
all this directive are from mod_auth_basic module.
Configuration sample for using Auth_memcookie apache V2.0 module:
LoadModule mod_auth_memcookie_module modules/mod_auth_memcookie.so
<IfModule mod_auth_memcookie.c>
<Location />
Auth_memCookie_CookieName myauthcookie
Auth_memCookie_Memcached_Configuration --SERVER=127.0.0.1:11000
# to redirect unauthorized user to the login page
ErrorDocument 401 "/gestionuser/login.php"
# to specify if the module are autoritative in this directory
Auth_memCookie_Authoritative on
# must be set without that the refuse authentification
AuthType Cookie
# must be set (apache mandatory) but not used by the module
AuthName "My Login"
</Location>
</IfModule>
# to protect juste user authentification
<Location "/myprotectedurl">
require valid-user
</Location>
# to protect acces to user in group1
<Location "/myprotectedurlgroup1">
require group group1
</Location>
- Full support for apache 2.3/2.4 authz/authn model support
- Fix HTTP header not sending to backend
- Add support for setting prefix HTTP header other than
"MCAC_"
- Add public zone support (
Require mcac-public
only in apache 2.3/2.4) - HTTP header name sended to backend in uppercase
- Migration from old libmemcache (Sean Chittenden) to modern libmemcached (Brian Aker)
- Correct handling of "=" in value of the memcache session (E. Dumas).
- Don't breaks basic authentication (Steve Gaarder)
- Multi users/groups require support
- Fix memory leak when mc_aget2 return NULL
- Apache 2.4 partial support (no use the new security model)
- Fix somme portability issue (apr_strtok in place of strtok, and variable definition in front of function)