Jonathan has asked for the wisdom of the Perl Monks concerning the following question:

Little off topic so feel free to flame if your dignity has been remotely compromised.

I admin and maintain (amoung other things) an intranet Apache web server. For security reasons users are required login. I am using Basic authorisation (didn't have time to implement a CGI frontend). The conf lines are.. 
<Location />
    AuthName "APPLICATION LOGIN"
    AuthType Basic
    PerlAuthenHandler Apache::AccessCheck
    require valid-user
</Location>

[download]
My Apache::AccessCheck module encrypts the users password and then checks it against a database. If they match I return OK, else FORBIDDEN or AUTH_REQUIRED. This works but if the user is not allowed in they cannot re-try. In fact they have to close and re-open their browsers (IE4 and IE5).
Ideally I'd like to give users three chances, can anyone suggest a way to direct the browser to ask for name and password again?

Replies are listed 'Best First'.
Re: Apache AuthType problem
by tomhukins (Curate) on Feb 21, 2001 at 20:37 UTC
    This sounds like a problem I encountered last week, although it's hard to tell without seeing your code.

    Before returning AUTH_REQUIRED, you need to call $r->note_basic_auth_failure, otherwise the WWW-Authenticate HTTP header isn't returned, so the browser doesn't ask the user to re-enter their username and password.

    Strictly speaking, you should return FORBIDDEN from a PerlAuthzHandler which is called after the PerlAuthenHandler. This gives you the flexibility to deal with authentication and authorisation in different stages. You can use $r->notes to pass variables between separate handlers.

    If you want to give the user three chances only, you'd need to store some session data, possibly using Apache::Session. However, I can't see the advantage of this, as malicious clients will find some way of pretending to be someone else (User-Agent modification, dispose session cookies, etc.) then send three more requests.

[reply]
      Hmmm, not to sure I understand what you mean (One day I promise to stay awake long enough to read more than the first paragraph of the http specification). I've already got the $r->note_basic_auth_failure; call in the code
      The code is very straightforward 
      sub handler {
    my $r = shift;

    my($res, $sent_pw) = $r->get_basic_auth_pw;

    return $res if $res != OK;

    my $user = $r->connection->user;
    unless($user and $sent_pw) {
        $r->note_basic_auth_failure;
        $r->log_reason("Both a username and password must be provided"
+,
                        $r->filename);
        return AUTH_REQUIRED;
    }

      [download]
      And at the end 
          return FORBIDDEN if ($encrypt_passwd ne $glas_password);

    # Got this far - guess we can let them in
    return OK;
}

1;
__END__

      [download]
[reply]
[d/l]
[select]
        At the end where you have 
        return FORBIDDEN if ($encrypt_passwd ne $glas_password);

        [download]
        you should have 
        if ($encrypt_passwd ne $glas_password) {
    $r->note_basic_auth_failure;
    $r->log_reason("Invalid password", $r->filename);
    return AUTH_REQUIRED;
}

        [download]

        Returning FORBIDDEN tells the client that their credentials are valid (ie. they entered a valid username/password combination) but that they aren't allowed to access this resource.

        I suggest you take a quick look at the difference between PerlAuthenHandler and PerlAuthzHandler. As I mentioned earlier in this thread, you shouldn't use FORBIDDEN in a PerlAuthenHandler.

        I know what you mean about the HTTP spec, I've been meaning to read it thoroughly for the past 6 years, but it's too scary :-)

[reply]
[d/l]
[select]
Re: Apache AuthType problem
by merlyn (Sage) on Feb 21, 2001 at 20:58 UTC
[reply]
Re: Apache AuthType problem
by sierrathedog04 (Hermit) on Feb 21, 2001 at 22:35 UTC
    The following .htaccess file gives the user three chances 
    AuthName "KeepEmOut Processing Centre MyDesk"
AuthType Basic
AuthUserFile /usr/local/apache/share/cgi-bin/.htpasswd
AuthGroupFile /usr/local/apache/share/cgi-bin/.htgroup
<LIMIT GET POST>
require group MYgroup
</LIMIT>

    [download]
    Some additional directives from the conf file are: 
    <Directory />
Options None
AllowOverride None
</Directory>

    [download]

    and 

    <Directory /usr/local/apache/share/htdocs>
Options Indexes FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>

    [download]

    My point is merely that three-strikes-and-you're-out appears to be the default behaviour for an Apache 1.3 web server. One must do something special to get the behavior you describe.

    Is it possible that the Apache::AccessCheck module is causing this problem? If so I wonder whether judicious use of Perl's eval function could hit the spot.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom