Login Authentication - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Login Authentication

How to establish an authenticated session

Eric_K

3:53 pm on Apr 11, 2011 (gmt 0)

10+ Year Member

Please advise if there is a better topic area to post this ...

Background:

I have over 30 years experience programming in various languages, but web programming is new to me.

I am developing a website without using any tools. The html is all hand written, and the server side application is also hand written, mostly in c-language, with some perl.

One of the features I need to implement is to allow registered users to login, giving them access to thier personal account information. I have developed a client page that posts (via https) a form with a username and password. For test purposes, the service currently validates the user/passwd against accounts saved in a flat file stored on the server above the web root, and responds with the user's requested information.

Problem:

I do not know how to establish a session between the server and the browser to enable the user to continue thereafter in an authenticated state. One way to do this would be for me to pass an encrypted session key back and forth at the application level, but I believe that kind of logic is already implemented in the infrastructure and I don't want to reinvent the wheel.

I am guessing the right way has something to do with htaccess and/or htpassword; And I suppose there must be some api (?) to inform the Apache webserver that the session is authenticated ... Am I even close?

mbabuskov

5:45 pm on Apr 11, 2011 (gmt 0)

10+ Year Member

There are 3 ways to track the session key:

1. use cookies
2. rewrite all requests to include session key
3. use HTTP authentication and read username/password from HTTP headers

All have drawbacks. Cookies might be turned off in browsers, rewrite could make your URL's look strange and HTTP auth requires that you go out of the box to set it up (and also could create problems if the same user tries to work in 2 browsers at the same time; this depends on your application logic - it might be a good thing for some).

Eric_K

6:23 pm on Apr 11, 2011 (gmt 0)

10+ Year Member

Thx, I guess its HTTP Authentication I'm thinking of ... What do you mean by "going out of the box"? Could you give me a quick thumbnail of how it works?

I understand the theory, what I need to know, is how to code it. How do I get the browser to fill-in the user/passwd into the protocol header (?right?) and how then, do I fetch it at the server ... Does Apache authenticate the header? Is that what htpasswd is all about? Is this action forced by htaccess?

I'm missing a critical connection.
-EK

jdMorgan

9:52 pm on Apr 14, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If you'[re coding in C and PERL, you're already well out of the box.

Suggestions: Take a look at mod_auth... at Apache.org for an overview of native Apach authentication/authorization. (I labeled it "auth..." because the name changes between Apache 1.x and 2.x, and because Apache 2.x has several "flavors" in different modules.

Then add the "Live HTTP headers" add-on to your favorite Mozilla-based browser, and go visit some sites that require you to log in. You will then see the client's view of various auth implementations, as well as seeing the exact names and formats of the HTTP headers you'll need to use.

No magic answer, just an easy hands-on way to get up to speed.

Jim

Eric_K

3:23 am on Apr 15, 2011 (gmt 0)

10+ Year Member

Great tip, thanks.