mschout / apache-authcookie Goto Github PK

Hi,

in 3.25 and later my setup silently stopped working. Instead of being redirected to login page I get 403 error.

I'm on apache 2.2, and mod_perl 2.0.10. My config below.

PerlSetVar 'Prosyn IntranetPath' /private
PerlSetVar 'Prosyn IntranetLoginScript' /private/bin/login.pl
PerlSetVar 'Prosyn IntranetCookieName' ps_intranet_devel
PerlSetVar 'Prosyn IntranetExpires' +1y

<LocationMatch ^/private.*>
  AuthType Prosyn::AuthCookieHandler
  AuthName "Prosyn Intranet"
  PerlAuthenHandler Prosyn::AuthCookieHandler->authenticate
  PerlAuthzHandler Prosyn::AuthCookieHandler->authorize
  require valid-user
</LocationMatch>


<Directory "/opt/project-syndicate/var/www/intranet">

AuthType ProjectSyndicate::AuthCookieHandler
AuthName "Prosyn Intranet"
PerlAuthenHandler Prosyn::AuthCookieHandler->authenticate
PerlAuthzHandler Prosyn::AuthCookieHandler->authorize
require valid-user

order deny,allow
allow from all
SSLRequireSSL
Options +ExecCGI +FollowSymLinks

DirectoryIndex bin/index.pl

AllowOverride All
</Directory>

We have the following bug reported to the Debian package of
Apache-AuthCookie, c.f. https://bugs.debian.org/1078092

It doesn't seem to be a bug in the packaging, so you may want to take
a look. Thanks!

------8<-----------8<-----------8<-----------8<-----------8<-----

Package: libapache2-authcookie-perl
Version: 3.31-2
Severity: important
User: [email protected]
Usertags: perl-5.40-transition

This package warns on usage with Perl 5.40 (currently in experimental),
making its autopkgtest checks fail.

  https://ci.debian.net/packages/liba/libapache2-authcookie-perl/unstable/amd64/50041830/

  $ perl -we 'use Apache2::AuthCookie'
  Attempt to call undefined import method with arguments ("1.99022") via package "mod_perl2" (Perhaps you forgot to load the package?) at /usr/share/perl5/Apache2/AuthCookie/Base.pm line 6.

Information on the new warning can be found at

  https://metacpan.org/dist/perl/view/pod/perldelta.pod#Calling-the-import-method-of-an-unknown-package-produces-a-warning

-- 
Niko Tyni   [email protected]

------8<-----------8<-----------8<-----------8<-----------8<-----

Changing the version requirement in Apache2/AuthCookie/Base.pm to

use mod_perl2 1.99022;

(without the quotes around the version) avoids the warning with perl 5.40.

Thanks for considering,
Damyan Ivanov,
Debian Perl Group

All the major browsers have been updated to support this cookie property.

References:
https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
https://www.owasp.org/index.php/SameSite
https://caniuse.com/#search=samesite

Something like the following is working well for me:

--- AuthCookie.pm~      2013-04-12 13:22:56.866608000 -0400
+++ AuthCookie.pm       2019-03-26 19:13:37.809237000 -0400
@@ -527,6 +527,15 @@
         $string .= '; HttpOnly';
     }
 
+    # SameSite is an anti-CSRF cookie extension.  See
+    # https://www.owasp.org/index.php/SameSite
+    if (my $samesite = $r->dir_config("${auth_name}SameSite")) {
+       if ($samesite =~ /\b(strict|lax)\b/i) {
+           $samesite = lc($1);
+           $string .= "; SameSite=$samesite";
+       }
+    }
+
     return $string;
 }

Maybe SameSite=lax should be the default even?

Currently convert_to_get() filters out credential* args, but there should be a way to specify other args that can be filtered out. E.g.: if using reCAPTCHA, you have captcha_* fields that end up getting passed through and kept in the destination.

Hello Michael!

Thanks for updating AuthCookie to Apache 2.4 - Once Debian switched over to that, we had a pretty hard time with our Website auth (which is non-trivial and dates back to abour 2005). The updated docs and examples made it possible to switch over to 2.4.

However, one feature does not quite work: Per-directory "DirectoryIndex" overrides. We have "index.html" everywhere (as usual) but some directories are special and have a .htaccess file wich specified some other DirectoryIndex foo.html. This passes config-check but fails at runtime with the dreaded

AH00027: No authentication done but request not allowed without authentication for [...]/foo.html. Authentication not configured?, referer: [...].

I suspect that the internal redirect (from index.html to foo.html) does somehow not fit into that "auth-method is called twice" scheme. Oh, I'm using a custom handler: PerlAddAuthzProvider token SSO::Handler->token - which of course may be broken, too.

Question: Is this an inherent problem of AutoCookie or am I simply implementing the Apache API wrongly? Thanks for any hint,

Raimund

At this point;
https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.28/lib/Apache2/AuthCookie/Base.pm#L23

my ($auth_type, $r) = @_;
should be;
my ($self,$auth_type, $r) = @_;

I am trying to use Apache-AuthCookie on a CentOS7 box with mod_perl-2.0.10 but get the error:

Can't locate object method "requires" via package "Apache2::RequestRec" at /usr/share/perl5/vendor_perl/Apache2/AuthCookie/Base.pm line 167.

A security audit of our system (based on Apache::AuthCookie) complained that we weren't enforcing a local destination. Since the destination is a parameter to the login form, a malicious man-in-the-middle entity could potentially intercept the login and change the destination to a different site, perhaps fooling the user into thinking they were still on our site, or so the thinking goes by the auditors.

Anyway, I have relatively small patch that implements this enforcement of a local destination:

--- /www/htdocs/cgi-bin/lib/modperl/Apache2/AuthCookie/Base.pm_v3.28_orig      2019-11-19 10:36:52.000000000 -0500
+++ /www/htdocs/cgi-bin/lib/modperl/Apache2/AuthCookie/Base.pm_new      2020-01-08 15:44:00.377183000 -0500
@@ -2 +2 @@
-$Apache2::AuthCookie::Base::VERSION = '3.28';
+$Apache2::AuthCookie::Base::VERSION = '3.28_01';
@@ -276,0 +277,7 @@
+    # Enforce that the destination must be local.
+    my $destination = $params->param('destination');
+    if ($destination !~ /\A\// || $destination =~ /[<>:\"\']/) {
+        $r->server->log_error("invalid destination $destination detected for uri ",$r->uri);
+        $destination = $r->dir_config("${auth_name}DefaultDestination") || '/';
+        $r->server->log_error("destination changed to default $destination");
+    }
@@ -294 +301 @@
-        $r->uri($self->untaint_destination($params->param('destination')));
+        $r->uri($self->untaint_destination($destination));
@@ -308 +315 @@
-        $r->server->log_error("redirect to ", $params->param('destination'));
+        $r->server->log_error("redirect to ", $destination);
@@ -312 +319 @@
-        "Location" => $self->untaint_destination($params->param('destination')));
+        "Location" => $self->untaint_destination($destination));

Would you be interested in incorporating this change? I could submit a PR, but, if you don't think this change is warranted, I'll just close this issue.

The "removed cookie" log message is somewhat confusing because it just shows the new set-cookie header that is sent to remove the cookie. In particular, at least some users are confused by the "0 GMT" date string. It would be clearer to just log the cookie name.

It would be nice if Apache2::Request could be used instead of CGI.pm. CGI.pm is available everywhere, but if we could detect if Apache2::Request is installed and use that in preference of CGI.pm, it would be nice.

There's a precedence issue in the return to get_satisfy if WhatEverSatisfy is not set. Line 90 (as of time of writing) evaluates as:

return lc ($x) || "A string", so gives an initialized var error in the http log if $x is undef.

Hi, just tried to upgrade from 3.24 to 3.26, and I have issues with running tests:

[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/TEST -bugreport -verbose=0 't/author-pod-syntax.t' 't/real.t' 't/signature.t' 't/util.t'
apache2: Could not open configuration file /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/apache2.conf: No such file or directory
/usr/sbin/apache2 -d /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t -f /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/conf/httpd.conf -D APACHE2 -D APACHE2_4 -D PERL_USEITHREADS
using Apache/2.4.18

waiting 60 seconds for server to start: .AH00534: apache2: Configuration error: No MPM loaded.
[ error]
server has died with status 255 (t/logs/error_log wasn't created, start the server in the debug mode)
Terminated
Makefile:907: recipe for target 'run_tests' failed

full cpanm log file available if required.. any ideas? It does (once forced) fix the issue we were having with AH00027 (user setting in subrequests), so would love to install it.

Is there way to get AuthCookie to send a 401 status instead of a 403 status. 401 means "I don't know who you are" which is what is generally true if the user has not logged in yet. 403 means "I know who you are but you don't have access" which is the case when the the user is logged in (have valid cookie) but they are not in the valid-user list.

AuthCookie always seems to send 403 no matter what the case.