Cookie Authentication in Apache – How to Implement

apache-2.2authenticationcookiesreverse-proxySecurity

I'm trying to set up a reverse proxy in Apache. The user will be required to log in, and will then be sent a cookie. I want Apache to check the cookie. Is there a way to do this?

EG, right now my config looks like this: 

<VirtualHost *:82>
  # username:password sent on to endpoint
  RequestHeader set Authorization "Basic cm9vdjfjDJaGRvYa=="

  ProxyPass /monitors/2/ http://192.168.1.6/foo.cgi
  ProxyPassReverse /monitors/2/ http://192.168.1.6/foo.cgi
</VirtualHost>

Can I add something in the VirtualHost to restrict access based on a cookie?

Best Answer

Sure. I do the same thing.

When a user logs in, I give them a cookie and create a token in /t/tokenid, and put it in a cookie: S=tokenid;PATH=/

Then, I can use RewriteCond to check for the file's existence:

RewriteEngine on
# check for no cookie being set
RewriteCond %{HTTP:Cookie} !S=([a-zA-Z0-9]+)
RewriteRule ^/*protected/ /login.html [L,R]
# check for an invalid cookie being set
RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteCond /t/%1 !-f
RewriteRule ^/*protected/ /login.html [L,R]

Finally, a garbage collector runs periodically and deletes old tokens:

find /t -type f \! -atime +1 -delete

To make the atime automatically update, I have /t mounted without noatime, and I have it web-accessible (but not indexed) and part of the stylesheet references /loggedin.txt which is rewritten as:

RewriteCond %{HTTP:Cookie} S=([a-zA-Z0-9]+)
RewriteRule ^/*loggedin\.txt$ /t/%1 [L]
Related Topic