mschout / apache-authcookie Goto Github PK
View Code? Open in Web Editor NEWmod_perl Authentication and Authorization via cookies
mod_perl Authentication and Authorization via cookies
The "removed cookie" log message is somewhat confusing because it just shows the new set-cookie header that is sent to remove the cookie. In particular, at least some users are confused by the "0 GMT" date string. It would be clearer to just log the cookie name.
Currently convert_to_get() filters out credential* args, but there should be a way to specify other args that can be filtered out. E.g.: if using reCAPTCHA, you have captcha_* fields that end up getting passed through and kept in the destination.
Hello Michael!
Thanks for updating AuthCookie to Apache 2.4 - Once Debian switched over to that, we had a pretty hard time with our Website auth (which is non-trivial and dates back to abour 2005). The updated docs and examples made it possible to switch over to 2.4.
However, one feature does not quite work: Per-directory "DirectoryIndex" overrides. We have "index.html" everywhere (as usual) but some directories are special and have a .htaccess file wich specified some other DirectoryIndex foo.html. This passes config-check but fails at runtime with the dreaded
AH00027: No authentication done but request not allowed without authentication for [...]/foo.html. Authentication not configured?, referer: [...].
I suspect that the internal redirect (from index.html to foo.html) does somehow not fit into that "auth-method is called twice" scheme. Oh, I'm using a custom handler: PerlAddAuthzProvider token SSO::Handler->token - which of course may be broken, too.
Question: Is this an inherent problem of AutoCookie or am I simply implementing the Apache API wrongly? Thanks for any hint,
Raimund
It would be nice if Apache2::Request could be used instead of CGI.pm. CGI.pm is available everywhere, but if we could detect if Apache2::Request is installed and use that in preference of CGI.pm, it would be nice.
I am trying to use Apache-AuthCookie on a CentOS7 box with mod_perl-2.0.10 but get the error:
Can't locate object method "requires" via package "Apache2::RequestRec" at /usr/share/perl5/vendor_perl/Apache2/AuthCookie/Base.pm line 167.
A security audit of our system (based on Apache::AuthCookie) complained that we weren't enforcing a local destination. Since the destination is a parameter to the login form, a malicious man-in-the-middle entity could potentially intercept the login and change the destination to a different site, perhaps fooling the user into thinking they were still on our site, or so the thinking goes by the auditors.
Anyway, I have relatively small patch that implements this enforcement of a local destination:
--- /www/htdocs/cgi-bin/lib/modperl/Apache2/AuthCookie/Base.pm_v3.28_orig 2019-11-19 10:36:52.000000000 -0500
+++ /www/htdocs/cgi-bin/lib/modperl/Apache2/AuthCookie/Base.pm_new 2020-01-08 15:44:00.377183000 -0500
@@ -2 +2 @@
-$Apache2::AuthCookie::Base::VERSION = '3.28';
+$Apache2::AuthCookie::Base::VERSION = '3.28_01';
@@ -276,0 +277,7 @@
+ # Enforce that the destination must be local.
+ my $destination = $params->param('destination');
+ if ($destination !~ /\A\// || $destination =~ /[<>:\"\']/) {
+ $r->server->log_error("invalid destination $destination detected for uri ",$r->uri);
+ $destination = $r->dir_config("${auth_name}DefaultDestination") || '/';
+ $r->server->log_error("destination changed to default $destination");
+ }
@@ -294 +301 @@
- $r->uri($self->untaint_destination($params->param('destination')));
+ $r->uri($self->untaint_destination($destination));
@@ -308 +315 @@
- $r->server->log_error("redirect to ", $params->param('destination'));
+ $r->server->log_error("redirect to ", $destination);
@@ -312 +319 @@
- "Location" => $self->untaint_destination($params->param('destination')));
+ "Location" => $self->untaint_destination($destination));
Would you be interested in incorporating this change? I could submit a PR, but, if you don't think this change is warranted, I'll just close this issue.
Hi,
in 3.25 and later my setup silently stopped working. Instead of being redirected to login page I get 403 error.
I'm on apache 2.2, and mod_perl 2.0.10. My config below.
PerlSetVar 'Prosyn IntranetPath' /private
PerlSetVar 'Prosyn IntranetLoginScript' /private/bin/login.pl
PerlSetVar 'Prosyn IntranetCookieName' ps_intranet_devel
PerlSetVar 'Prosyn IntranetExpires' +1y
<LocationMatch ^/private.*>
AuthType Prosyn::AuthCookieHandler
AuthName "Prosyn Intranet"
PerlAuthenHandler Prosyn::AuthCookieHandler->authenticate
PerlAuthzHandler Prosyn::AuthCookieHandler->authorize
require valid-user
</LocationMatch>
<Directory "/opt/project-syndicate/var/www/intranet">
AuthType ProjectSyndicate::AuthCookieHandler
AuthName "Prosyn Intranet"
PerlAuthenHandler Prosyn::AuthCookieHandler->authenticate
PerlAuthzHandler Prosyn::AuthCookieHandler->authorize
require valid-user
order deny,allow
allow from all
SSLRequireSSL
Options +ExecCGI +FollowSymLinks
DirectoryIndex bin/index.pl
AllowOverride All
</Directory>
There's a precedence issue in the return to get_satisfy if WhatEverSatisfy is not set. Line 90 (as of time of writing) evaluates as:
return lc ($x) || "A string", so gives an initialized var error in the http log if $x is undef.
Is there way to get AuthCookie to send a 401 status instead of a 403 status. 401 means "I don't know who you are" which is what is generally true if the user has not logged in yet. 403 means "I know who you are but you don't have access" which is the case when the the user is logged in (have valid cookie) but they are not in the valid-user list.
AuthCookie always seems to send 403 no matter what the case.
We have the following bug reported to the Debian package of
Apache-AuthCookie, c.f. https://bugs.debian.org/1078092
It doesn't seem to be a bug in the packaging, so you may want to take
a look. Thanks!
------8<-----------8<-----------8<-----------8<-----------8<-----
Package: libapache2-authcookie-perl
Version: 3.31-2
Severity: important
User: [email protected]
Usertags: perl-5.40-transition
This package warns on usage with Perl 5.40 (currently in experimental),
making its autopkgtest checks fail.
https://ci.debian.net/packages/liba/libapache2-authcookie-perl/unstable/amd64/50041830/
$ perl -we 'use Apache2::AuthCookie'
Attempt to call undefined import method with arguments ("1.99022") via package "mod_perl2" (Perhaps you forgot to load the package?) at /usr/share/perl5/Apache2/AuthCookie/Base.pm line 6.
Information on the new warning can be found at
https://metacpan.org/dist/perl/view/pod/perldelta.pod#Calling-the-import-method-of-an-unknown-package-produces-a-warning
--
Niko Tyni [email protected]
------8<-----------8<-----------8<-----------8<-----------8<-----
Changing the version requirement in Apache2/AuthCookie/Base.pm to
use mod_perl2 1.99022;
(without the quotes around the version) avoids the warning with perl 5.40.
Thanks for considering,
Damyan Ivanov,
Debian Perl Group
All the major browsers have been updated to support this cookie property.
References:
https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
https://www.owasp.org/index.php/SameSite
https://caniuse.com/#search=samesite
Something like the following is working well for me:
--- AuthCookie.pm~ 2013-04-12 13:22:56.866608000 -0400
+++ AuthCookie.pm 2019-03-26 19:13:37.809237000 -0400
@@ -527,6 +527,15 @@
$string .= '; HttpOnly';
}
+ # SameSite is an anti-CSRF cookie extension. See
+ # https://www.owasp.org/index.php/SameSite
+ if (my $samesite = $r->dir_config("${auth_name}SameSite")) {
+ if ($samesite =~ /\b(strict|lax)\b/i) {
+ $samesite = lc($1);
+ $string .= "; SameSite=$samesite";
+ }
+ }
+
return $string;
}
Maybe SameSite=lax
should be the default even?
At this point;
https://metacpan.org/source/MSCHOUT/Apache-AuthCookie-3.28/lib/Apache2/AuthCookie/Base.pm#L23
my ($auth_type, $r) = @_;
should be;
my ($self,$auth_type, $r) = @_;
Hi, just tried to upgrade from 3.24 to 3.26, and I have issues with running tests:
[warning] setting ulimit to allow core files
ulimit -c unlimited; /usr/bin/perl /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/TEST -bugreport -verbose=0 't/author-pod-syntax.t' 't/real.t' 't/signature.t' 't/util.t'
apache2: Could not open configuration file /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/apache2.conf: No such file or directory
/usr/sbin/apache2 -d /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t -f /home/jessr/.cpanm/work/1476437874.32308/Apache-AuthCookie-3.26/t/conf/httpd.conf -D APACHE2 -D APACHE2_4 -D PERL_USEITHREADS
using Apache/2.4.18
waiting 60 seconds for server to start: .AH00534: apache2: Configuration error: No MPM loaded.
[ error]
server has died with status 255 (t/logs/error_log wasn't created, start the server in the debug mode)
Terminated
Makefile:907: recipe for target 'run_tests' failed
full cpanm log file available if required.. any ideas? It does (once forced) fix the issue we were having with AH00027 (user setting in subrequests), so would love to install it.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.