Bug #51593 for Apache2-AuthCookieDBI: Protecting DOCUMENT_ROOT results in repeated showing of login form

Tue Nov 17 04:14:49 2009 patrick.bo [...] laposte.net - Ticket created

Subject:

SSL and authCookieDBI

Hi, good morning I use "Apache2::AuthCookieDBI" module (version 2.05) with OpenSuSE 11. This intranet server works well since many years. The module controls access to subdirectory with success. Now, due to some important information, I change Apache's configuration. The httpS server (port 443) is enable and port 80 is disabled. It's continue to work if the module controls the access to a "subdirectory". But there is no access (the login page is displayed again and again) when the module controls the access to the "DocumentRoot" Take a look on the attached files, it's work. But when I change the parameter "Directory" in authcookiedbi.conf to "/srv/www/htdocs", the access is impossible. I do not know what to do, it can be a huge mistake on my part but I do not see it. Thank you in advance for your help Regards Patrick

Subject:

vhost-ssl.conf

<IfDefine SSL> <IfDefine !NOSSL> ## SSL Virtual Host Context <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/srv/www/htdocs" ServerName 192.168.0.99 #ServerAdmin webmaster@example.com ErrorLog /var/log/apache2/ssl_error_log TransferLog /var/log/apache2/ssl_access_log # SSL Engine Switch: SSLEngine on # SSL Cipher Suite: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: SSLCertificateFile /etc/apache2/ssl.crt/myServer.crt # Server Private Key: SSLCertificateKeyFile /etc/apache2/ssl.key/myServer.key # SSL Engine Options: #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <Files ~ "\.(cgi|pl|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine>

Subject:

authCookieDBI.conf

PerlOptions +GlobalRequest # In httpd.conf or .htaccess PerlModule Apache2::AuthCookieDBI PerlSetVar WhatEverPath / PerlSetVar WhatEverLoginScript /cgi-perl/login # Optional, to share tickets between servers. #PerlSetVar WhatEverDomain .domain.com # These must be set PerlSetVar WhatEverDBI_DSN DBI:mysql:authSrv:localhost PerlSetVar WhatEverDBI_SecretKey "489e5eaad8b3208f9ad792ef4afca73598ae666b0206a9c92ac77e73ce835c" # These are optional, the module sets sensible defaults. PerlSetVar WhatEverDBI_User root PerlSetVar WhatEverDBI_Password pateli PerlSetVar WhatEverDBI_UsersTable users PerlSetVar WhatEverDBI_UserField user PerlSetVar WhatEverDBI_PasswordField password PerlSetVar WhatEverDBI_CryptType none PerlSetVar WhatEverDBI_GroupsTable groupes PerlSetVar WhatEverDBI_GroupField groupe PerlSetVar WhatEverDBI_GroupUserField user #PerlSetVar WhatEverDBI_EncryptionType none PerlSetVar WhatEverDBI_SessionLifetime 00-00-20-00 # Protected by AuthCookieDBI. <Directory "/srv/www/htdocs/secured"> AuthType Apache2::AuthCookieDBI # set this to whatever, but the PerlSetVar's must match it. AuthName WhatEver PerlAuthenHandler Apache2::AuthCookieDBI->authenticate PerlAuthzHandler Apache2::AuthCookieDBI->authorize #Require valid-user invalidé avec fonction group demandé Require valid-user # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit AllowOverride AuthConfig # Require group Administrator mis dans .htaccess Options +Indexes </Directory> # Login location. <Files LOGIN> AuthType Apache2::AuthCookieDBI AuthName WhatEver SetHandler perl-script PerlHandler Apache2::AuthCookieDBI->login </Files>

Tue Nov 17 12:40:58 2009 matisse [...] spamcop.net - Taken

Tue Nov 17 12:52:56 2009 matisse [...] spamcop.net - Correspondence added

Some questions: Where are you configuring cgi-perl as a script directory? I expected to see a ScriptAlias directive somewhere. Are you sure that the login script itself is not inside /srv/www/htdocs/ ? In order for AuthCookieDBI to work the login page and handler must not be password protected.

Tue Nov 17 12:52:57 2009 The RT System itself - Status changed from 'new' to 'open'

Tue Nov 17 16:33:33 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mar. Nov. 17 12:52:56 2009, MATISSE a écrit : Show quoted text

> Some questions: > > Where are you configuring cgi-perl as a script directory? I expected

to Show quoted text

> see a ScriptAlias directive somewhere. > > Are you sure that the login script itself is not

inside /srv/www/htdocs/ ? Show quoted text

> > In order for AuthCookieDBI to work the login page and handler must not > be password protected.

"cgi-perl" is configured in mod_perl.conf file in /etc/apache2. The login script and login html page is in /srv/www/cgi-bin.

Tue Nov 17 23:20:52 2009 matisse [...] spamcop.net - Correspondence added

OK, more questions: Can you attach the code that generates the login form?

Tue Nov 17 23:24:25 2009 matisse [...] spamcop.net - Correspondence added

Sorry, I meant to ask for both the login code and the login HTML. I want to see what fields are passed to /LOGIN when a user submits the login form.

Wed Nov 18 11:34:39 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mar. Nov. 17 23:24:25 2009, MATISSE a écrit : Show quoted text

> Sorry, I meant to ask for both the login code and the login HTML. > I want to see what fields are passed to /LOGIN when a user submits the > login form.

The both file are saved in /srv/www/cgi-bin.

#!/usr/bin/perl #modil PBo #!/usr/bin/perl -Tw # # $Id: login.pl,v 1.3 2003/10/10 22:33:31 jacob Exp $ # # Display a login form with hidden fields corresponding to the page they # wanted to see. use strict; use 5.004; use Text::TagTemplate; #use Apache; use Apache2::RequestUtil(); #use Apache2::RequestRec(); my $t = new Text::TagTemplate; # my $r = Apache->request(); my $r = Apache2::RequestUtil->request(); my $destination; my $authcookiereason; if ($r->prev()) { # we are called as a subrequest. $destination = $r->prev()->args() ? $r->prev()->uri().'?'.$r->prev->args() : $r->prev()->uri(); $authcookiereason = $r->prev()->subprocess_env('AuthCookieReason'); } else { my %args = $r->args; $destination = $args{'destination'}; $authcookiereason = $args{'AuthCookieReason'}; # modif PBo $t->add_tag( CREDENTIAL_0 => $r->prev->args('credential_0')); } $t->add_tag(DESTINATION => $destination); unless ($authcookiereason eq 'bad_cookie') { #modif PBo $t->template_file("../html/login.html"); $t->template_file("/srv/www/cgi-bin/login.html"); } else { #modif PBo $t->template_file("../html/login-failed.html"); $t->template_file("/srv/www/cgi-bin/login-failed.html"); } #$r->send_http_header; #modif ne fonctionne pas sans "use Apache2::compat ();" $r->content_type('text/plain'); print $t->parse_file unless $r->header_only;

Utilisateur : Password :

Wed Nov 18 12:13:12 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mer. Nov. 18 11:34:39 2009, PatrickB a écrit : Show quoted text

> Le Mar. Nov. 17 23:24:25 2009, MATISSE a écrit :

> > Sorry, I meant to ask for both the login code and the login HTML. > > I want to see what fields are passed to /LOGIN when a user submits

the Show quoted text

> > login form.

> > > > The both file are saved in /srv/www/cgi-bin.

If you want I can send a zip file (44kb only) containing the files in /srv, /etc/ and /log. Until the problem is not solved, there is nothing on the server.

Wed Nov 18 13:23:14 2009 patrick.bo [...] laposte.net - Told changed from Tue Nov 17 23:24:26 2009 to Wed Nov 18 13:23:14 2009

Wed Nov 18 13:55:31 2009 matisse [...] spamcop.net - Correspondence added

On Wed Nov 18 12:13:12 2009, PatrickB wrote: Show quoted text

> If you want I can send a zip file (44kb only) containing the files > in /srv, /etc/ and /log.

That cannot hurt, so if you don't mind go ahead and do that. I won't get a chance to look at this again until tonight (I am in California.) In the meantime you can try setting the AuthCookieDebug value to 2 or higher and see if more useful information shows in the error log. AuthCookieDebug 2

Wed Nov 18 17:47:41 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mer. Nov. 18 13:55:31 2009, MATISSE a écrit : Show quoted text

> On Wed Nov 18 12:13:12 2009, PatrickB wrote:

> > If you want I can send a zip file (44kb only) containing the files > > in /srv, /etc/ and /log.

> > That cannot hurt, so if you don't mind go ahead and do that. > > I won't get a chance to look at this again until tonight (I am in > California.) > > In the meantime you can try setting the AuthCookieDebug value to 2 or > higher and see if more useful information shows in the error log. > > AuthCookieDebug 2

With AuthCookieDebug = 3, error_log file contains after Apache restarting: [Wed Nov 18 23:35:33 2009] [notice] caught SIGTERM, shutting down [Wed Nov 18 23:35:39 2009] [notice] Apache/2.2.13 (Linux/SUSE) mod_ssl/2.2.13 OpenSSL/0.9.8k PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations [Wed Nov 18 23:36:21 2009] [error] auth_type Apache2::AuthCookieDBI [Wed Nov 18 23:36:21 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7bc1f9c) authtype=Apache2::AuthCookieDBI [Wed Nov 18 23:36:21 2009] [error] auth_name WhatEver [Wed Nov 18 23:36:21 2009] [error] ses_key_cookie [Wed Nov 18 23:36:21 2009] [error] uri / [Wed Nov 18 23:36:30 2009] [error] auth_type Apache2::AuthCookieDBI [Wed Nov 18 23:36:30 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7bc1f9c) authtype=Apache2::AuthCookieDBI [Wed Nov 18 23:36:30 2009] [error] auth_name WhatEver [Wed Nov 18 23:36:30 2009] [error] ses_key_cookie [Wed Nov 18 23:36:30 2009] [error] uri /LOGIN [Wed Nov 18 23:36:30 2009] [error] Converting POST -> GET Many fields are empty.

Download tmp.zip
application/x-zip-compressed 43.7k

Message body not shown because it is not plain text.

Wed Nov 18 18:03:31 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mer. Nov. 18 17:47:41 2009, PatrickB a écrit : Show quoted text

> Le Mer. Nov. 18 13:55:31 2009, MATISSE a écrit :

> > On Wed Nov 18 12:13:12 2009, PatrickB wrote:

> > > If you want I can send a zip file (44kb only) containing the

files Show quoted text

> > > in /srv, /etc/ and /log.

> > > > That cannot hurt, so if you don't mind go ahead and do that. > > > > I won't get a chance to look at this again until tonight (I am in > > California.) > > > > In the meantime you can try setting the AuthCookieDebug value to 2

or Show quoted text

> > higher and see if more useful information shows in the error log. > > > > AuthCookieDebug 2

> > > With AuthCookieDebug = 3, error_log file contains after Apache > restarting: > [Wed Nov 18 23:35:33 2009] [notice] caught SIGTERM, shutting down > [Wed Nov 18 23:35:39 2009] [notice] Apache/2.2.13 (Linux/SUSE) > mod_ssl/2.2.13 OpenSSL/0.9.8k PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0 > configured -- resuming normal operations > [Wed Nov 18 23:36:21 2009] [error] auth_type Apache2::AuthCookieDBI > [Wed Nov 18 23:36:21 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7bc1f9c) authtype=Apache2::AuthCookieDBI > [Wed Nov 18 23:36:21 2009] [error] auth_name WhatEver > [Wed Nov 18 23:36:21 2009] [error] ses_key_cookie > [Wed Nov 18 23:36:21 2009] [error] uri / > [Wed Nov 18 23:36:30 2009] [error] auth_type Apache2::AuthCookieDBI > [Wed Nov 18 23:36:30 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7bc1f9c) authtype=Apache2::AuthCookieDBI > [Wed Nov 18 23:36:30 2009] [error] auth_name WhatEver > [Wed Nov 18 23:36:30 2009] [error] ses_key_cookie > [Wed Nov 18 23:36:30 2009] [error] uri /LOGIN > [Wed Nov 18 23:36:30 2009] [error] Converting POST -> GET > > Many fields are empty.

If the module does not protect the "DocumentRoot" but the subdirectory "secured" ( change<Directory "/srv/www/htdocs/secured"> in my authCookieDBI.conf), it works the error_log file contains: [Wed Nov 18 23:49:29 2009] [notice] caught SIGTERM, shutting down [Wed Nov 18 23:49:42 2009] [notice] Apache/2.2.13 (Linux/SUSE) mod_ssl/2.2.13 OpenSSL/0.9.8k PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations [Wed Nov 18 23:50:13 2009] [error] auth_type Apache2::AuthCookieDBI [Wed Nov 18 23:50:13 2009] [error] r=Apache2::RequestRec=SCALAR (0xb788aa4c) authtype=Apache2::AuthCookieDBI [Wed Nov 18 23:50:13 2009] [error] auth_name WhatEver [Wed Nov 18 23:50:13 2009] [error] ses_key_cookie [Wed Nov 18 23:50:13 2009] [error] uri /secured [Wed Nov 18 23:50:26 2009] [error] Converting POST -> GET [Wed Nov 18 23:50:26 2009] [error] credential_0 myNAME [Wed Nov 18 23:50:26 2009] [error] credential_1 myPASS [Wed Nov 18 23:50:26 2009] [error] ses_key myNAME:2009-11-18-23-50- 26:2009-11-18-23-51-26::17a45eed527e60df465211fb17af53c5 [Wed Nov 18 23:50:26 2009] [error] redirect to /secured [Wed Nov 18 23:50:26 2009] [error] auth_type Apache2::AuthCookieDBI [Wed Nov 18 23:50:26 2009] [error] r=Apache2::RequestRec=SCALAR (0xb788aa4c) authtype=Apache2::AuthCookieDBI [Wed Nov 18 23:50:26 2009] [error] auth_name WhatEver [Wed Nov 18 23:50:26 2009] [error] ses_key_cookie myNAME:2009-11-18-23- 50-26:2009-11-18-23-51-26::17a45eed527e60df465211fb17af53c5 [Wed Nov 18 23:50:26 2009] [error] uri /secured [Wed Nov 18 23:50:26 2009] [error] user authenticated as myNAME [Wed Nov 18 23:50:26 2009] [error] authorize() for /secured [Wed Nov 18 23:50:26 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Wed Nov 18 23:50:26 2009] [error] requirement := valid-user, [Wed Nov 18 23:50:27 2009] [error] auth_type Apache2::AuthCookieDBI [Wed Nov 18 23:50:27 2009] [error] r=Apache2::RequestRec=SCALAR (0xb788aa4c) authtype=Apache2::AuthCookieDBI [Wed Nov 18 23:50:27 2009] [error] auth_name WhatEver [Wed Nov 18 23:50:27 2009] [error] ses_key_cookie myNAME:2009-11-18-23- 50-26:2009-11-18-23-51-26::17a45eed527e60df465211fb17af53c5 [Wed Nov 18 23:50:27 2009] [error] uri /secured/ [Wed Nov 18 23:50:27 2009] [error] user authenticated as myNAME [Wed Nov 18 23:50:27 2009] [error] authorize() for /secured/ [Wed Nov 18 23:50:27 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Wed Nov 18 23:50:27 2009] [error] requirement := valid-user,

Thu Nov 19 13:54:12 2009 matisse [...] spamcop.net - Correspondence added 20 min

That is certain strange. I expected to see log statements (in the failure situation) from the Apache2::AuthCookie::login() method in the base class. Specifically from this code (line numbers are from AuthCookie.pm 3.12): 172 # Get the credentials from the data posted by the client 173 my @credentials; 174 for (my $i = 0; exists $args{"credential_$i"}; $i++) { 175 my $key = "credential_$i"; 176 $r->server->log_error("$key $args{$key}") if $debug >= 2; 177 push @credentials, $args{$key}; 178 } I do see those log messages when you protect a subdirectory, but not when you protected document_root. Right now I have no new ideas. This weekend I will try to duplicate the problem on another server and see if that shows me something new.

Thu Nov 19 13:55:12 2009 matisse [...] spamcop.net - Subject changed from 'SSL and authCookieDBI' to 'Protecting DOCUMENT_ROOT results in repeated showing of login form'

Thu Nov 19 15:30:35 2009 patrick.bo [...] laposte.net - Correspondence added

Le Jeu. Nov. 19 13:54:12 2009, MATISSE a écrit : Show quoted text

> That is certain strange. > > I expected to see log statements (in the failure situation) from the > Apache2::AuthCookie::login() method in the base class. Specifically

from Show quoted text

> this code (line numbers are from AuthCookie.pm 3.12): > > 172 # Get the credentials from the data posted by the client > 173 my @credentials; > 174 for (my $i = 0; exists $args{"credential_$i"}; $i++) { > 175 my $key = "credential_$i"; > 176 $r->server->log_error("$key $args{$key}") if $debug >= 2; > 177 push @credentials, $args{$key}; > 178 } > > I do see those log messages when you protect a subdirectory, but not > when you protected document_root. > > Right now I have no new ideas. This weekend I will try to duplicate

the Show quoted text

> problem on another server and see if that shows me something new.

Yes, it's strange. Thank you for your help. If I can send to you somethings, dont' hesitate.

Fri Nov 20 10:41:59 2009 patrick.bo [...] laposte.net - Correspondence added

Le Jeu. Nov. 19 15:30:35 2009, PatrickB a écrit : Show quoted text

> Le Jeu. Nov. 19 13:54:12 2009, MATISSE a écrit :

> > That is certain strange. > > > > I expected to see log statements (in the failure situation) from the > > Apache2::AuthCookie::login() method in the base class. Specifically

> from

> > this code (line numbers are from AuthCookie.pm 3.12): > > > > 172 # Get the credentials from the data posted by the client > > 173 my @credentials; > > 174 for (my $i = 0; exists $args{"credential_$i"}; $i++) { > > 175 my $key = "credential_$i"; > > 176 $r->server->log_error("$key $args{$key}") if $debug >=

2; Show quoted text

> > 177 push @credentials, $args{$key}; > > 178 } > > > > I do see those log messages when you protect a subdirectory, but not > > when you protected document_root. > > > > Right now I have no new ideas. This weekend I will try to duplicate

> the

> > problem on another server and see if that shows me something new.

> > > Yes, it's strange. Thank you for your help. If I can send to you > somethings, dont' hesitate.

I have a good new. It works! In my authCookieDBI.conf, I have moved the directives <Files Show quoted text

LOGIN>....</Files> inside <Directory "/srv/www/htdocs"> ...

</Directory>. Now this conf is like this: #rajout PBo car erreur si absent PerlOptions +GlobalRequest PerlSetVar AuthCookieDebug 4 # In httpd.conf or .htaccess PerlModule Apache2::AuthCookieDBI PerlSetVar WhatEverPath / #modif PBo PerlSetVar WhatEverLoginScript /login.pl PerlSetVar WhatEverLoginScript /cgi-perl/login.pl # Optional, to share tickets between servers. #invalider PBo PerlSetVar WhatEverDomain .domain.com # These must be set #modif PBo PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test" PerlSetVar WhatEverDBI_DSN DBI:mysql:authSrv:localhost PerlSetVar WhatEverDBI_SecretKey "489e5eaadb3208f9ad8792ef4afca7359e666b0206a9c92ac 877e73ce835c" # These are optional, the module sets sensible defaults. PerlSetVar WhatEverDBI_User root PerlSetVar WhatEverDBI_Password pateli PerlSetVar WhatEverDBI_UsersTable users PerlSetVar WhatEverDBI_UserField user PerlSetVar WhatEverDBI_PasswordField password PerlSetVar WhatEverDBI_CryptType none PerlSetVar WhatEverDBI_GroupsTable groupes PerlSetVar WhatEverDBI_GroupField groupe PerlSetVar WhatEverDBI_GroupUserField user PerlSetVar WhatEverDBI_EncryptionType none PerlSetVar WhatEverDBI_SessionLifetime 00-01-00-00 # Protected by AuthCookieDBI. #modif PBo <Directory "/srv/www/htdocs"> AuthType Apache2::AuthCookieDBI # set this to whatever, but the PerlSetVar's must match it. # Mettre ce que vous voulez, mais le PerlSetVar doit correspondre. AuthName WhatEver PerlAuthenHandler Apache2::AuthCookieDBI->authenticate PerlAuthzHandler Apache2::AuthCookieDBI->authorize #Require valid-user invalidé avec fonction group demandé Require valid-user # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit AllowOverride None # Require group Administrator mis dans .htaccess # Login location. en dehors de "<Directory xxx>" pour subdirectory <Files LOGIN> AuthType Apache2::AuthCookieDBI AuthName WhatEver SetHandler perl-script PerlHandler Apache2::AuthCookieDBI->login #rajout PBo Allow from all Satisfy any </Files> </Directory> Please, It works but I would like to know if it's THE real solution. If this bad modification correct the first one and it works finally. Because to protect a subdirectory, those modification are not necessary.

Fri Nov 20 11:28:58 2009 patrick.bo [...] laposte.net - Correspondence added

Le Ven. Nov. 20 10:41:59 2009, PatrickB a écrit : Show quoted text

> Le Jeu. Nov. 19 15:30:35 2009, PatrickB a écrit :

> > Le Jeu. Nov. 19 13:54:12 2009, MATISSE a écrit :

> > > That is certain strange. > > > > > > I expected to see log statements (in the failure situation) from

the Show quoted text

> > > Apache2::AuthCookie::login() method in the base class.

Specifically Show quoted text

> > from

> > > this code (line numbers are from AuthCookie.pm 3.12): > > > > > > 172 # Get the credentials from the data posted by the client > > > 173 my @credentials; > > > 174 for (my $i = 0; exists $args{"credential_$i"}; $i++) { > > > 175 my $key = "credential_$i"; > > > 176 $r->server->log_error("$key $args{$key}") if $debug

>= > 2;

> > > 177 push @credentials, $args{$key}; > > > 178 } > > > > > > I do see those log messages when you protect a subdirectory, but

not Show quoted text

> > > when you protected document_root. > > > > > > Right now I have no new ideas. This weekend I will try to

duplicate Show quoted text

> > the

> > > problem on another server and see if that shows me something new.

> > > > > > Yes, it's strange. Thank you for your help. If I can send to you > > somethings, dont' hesitate.

> > > > I have a good new. It works! > > In my authCookieDBI.conf, I have moved the directives <Files

> LOGIN>....</Files> inside <Directory "/srv/www/htdocs"> ...

> </Directory>. > Now this conf is like this: > #rajout PBo car erreur si absent > PerlOptions +GlobalRequest > > PerlSetVar AuthCookieDebug 4 > > # In httpd.conf or .htaccess > > PerlModule Apache2::AuthCookieDBI > PerlSetVar WhatEverPath / > #modif PBo PerlSetVar WhatEverLoginScript /login.pl > PerlSetVar WhatEverLoginScript /cgi-perl/login.pl > > # Optional, to share tickets between servers. > #invalider PBo PerlSetVar WhatEverDomain .domain.com > > # These must be set > #modif PBo PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test" > PerlSetVar WhatEverDBI_DSN DBI:mysql:authSrv:localhost > PerlSetVar >

WhatEverDBI_SecretKey "489e5eaadb3208f9ad8792ef4afca7359e666b0206a9c92ac Show quoted text

> 877e73ce835c" > > # These are optional, the module sets sensible defaults. > PerlSetVar WhatEverDBI_User root > PerlSetVar WhatEverDBI_Password pateli > PerlSetVar WhatEverDBI_UsersTable users > PerlSetVar WhatEverDBI_UserField user > PerlSetVar WhatEverDBI_PasswordField password > PerlSetVar WhatEverDBI_CryptType none > PerlSetVar WhatEverDBI_GroupsTable groupes > PerlSetVar WhatEverDBI_GroupField groupe > PerlSetVar WhatEverDBI_GroupUserField user > PerlSetVar WhatEverDBI_EncryptionType none > PerlSetVar WhatEverDBI_SessionLifetime 00-01-00-00 > > # Protected by AuthCookieDBI. > #modif PBo > <Directory "/srv/www/htdocs"> > AuthType Apache2::AuthCookieDBI > > # set this to whatever, but the PerlSetVar's must match it. > # Mettre ce que vous voulez, mais le PerlSetVar doit > correspondre. > AuthName WhatEver > PerlAuthenHandler Apache2::AuthCookieDBI->authenticate > PerlAuthzHandler Apache2::AuthCookieDBI->authorize > #Require valid-user invalidé avec fonction group demandé > Require valid-user > > # AllowOverride controls what directives may be placed > in .htaccess files. > # It can be "All", "None", or any combination of the keywords: > # Options FileInfo AuthConfig Limit > AllowOverride None > # Require group Administrator mis dans .htaccess > > # Login location. en dehors de "<Directory xxx>" pour > subdirectory > <Files LOGIN> > AuthType Apache2::AuthCookieDBI > AuthName WhatEver > SetHandler perl-script > PerlHandler Apache2::AuthCookieDBI->login > #rajout PBo > Allow from all > Satisfy any > </Files> > </Directory> > > Please, It works but I would like to know if it's THE real solution. > If this bad modification correct the first one and it works finally. > Because to protect a subdirectory, those modification are not

necessary. Sorry, I forgot the error_log file with https connection: [Fri Nov 20 17:23:20 2009] [notice] Apache/2.2.13 (Linux/SUSE) mod_ssl/2.2.13 OpenSSL/0.9.8k PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0 configured -- resuming normal operations [Fri Nov 20 17:23:56 2009] [error] auth_type Apache2::AuthCookieDBI [Fri Nov 20 17:23:56 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7905484) authtype=Apache2::AuthCookieDBI [Fri Nov 20 17:23:56 2009] [error] auth_name WhatEver [Fri Nov 20 17:23:56 2009] [error] ses_key_cookie [Fri Nov 20 17:23:56 2009] [error] uri / [Fri Nov 20 17:24:04 2009] [error] Converting POST -> GET [Fri Nov 20 17:24:04 2009] [error] credential_0 myNAME [Fri Nov 20 17:24:04 2009] [error] credential_1 myPASS [Fri Nov 20 17:24:04 2009] [error] ses_key myNAME:2009-11-20-17-24- 04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff [Fri Nov 20 17:24:04 2009] [error] redirect to / [Fri Nov 20 17:24:04 2009] [error] auth_type Apache2::AuthCookieDBI [Fri Nov 20 17:24:04 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7905484) authtype=Apache2::AuthCookieDBI [Fri Nov 20 17:24:04 2009] [error] auth_name WhatEver [Fri Nov 20 17:24:04 2009] [error] ses_key_cookie myNAME:2009-11-20-17- 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff [Fri Nov 20 17:24:04 2009] [error] uri / [Fri Nov 20 17:24:04 2009] [error] user authenticated as myNAME [Fri Nov 20 17:24:04 2009] [error] authorize() for / [Fri Nov 20 17:24:04 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Fri Nov 20 17:24:04 2009] [error] requirement := valid-user, [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7905484) authtype=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-17- 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user, [Fri Nov 20 17:24:12 2009] [error] [client 192.168.0.96] PHP Warning: phpinfo(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Berlin' for 'CET/1.0/no DST' instead in /srv/www/htdocs/infoPhp.php on line 2 [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR (0xb79095c4) authtype=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-17- 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user, [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR (0xb7905484) authtype=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-17- 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME type=Apache2::AuthCookieDBI [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user,

Tue Nov 24 17:10:46 2009 patrick.bo [...] laposte.net - Correspondence added

Le Ven. Nov. 20 11:28:58 2009, PatrickB a écrit : Show quoted text

> Le Ven. Nov. 20 10:41:59 2009, PatrickB a écrit :

> > Le Jeu. Nov. 19 15:30:35 2009, PatrickB a écrit :

> > > Le Jeu. Nov. 19 13:54:12 2009, MATISSE a écrit :

> > > > That is certain strange. > > > > > > > > I expected to see log statements (in the failure situation)

from Show quoted text

> the

> > > > Apache2::AuthCookie::login() method in the base class.

> Specifically

> > > from

> > > > this code (line numbers are from AuthCookie.pm 3.12): > > > > > > > > 172 # Get the credentials from the data posted by the

client Show quoted text

> > > > 173 my @credentials; > > > > 174 for (my $i = 0; exists $args{"credential_$i"}; $i++) { > > > > 175 my $key = "credential_$i"; > > > > 176 $r->server->log_error("$key $args{$key}") if

$debug Show quoted text

> >= > > 2;

> > > > 177 push @credentials, $args{$key}; > > > > 178 } > > > > > > > > I do see those log messages when you protect a subdirectory,

but Show quoted text

> not

> > > > when you protected document_root. > > > > > > > > Right now I have no new ideas. This weekend I will try to

> duplicate

> > > the

> > > > problem on another server and see if that shows me something

new. Show quoted text

> > > > > > > > > Yes, it's strange. Thank you for your help. If I can send to you > > > somethings, dont' hesitate.

> > > > > > > > I have a good new. It works! > > > > In my authCookieDBI.conf, I have moved the directives <Files

> > LOGIN>....</Files> inside <Directory "/srv/www/htdocs"> ...

> > </Directory>. > > Now this conf is like this: > > #rajout PBo car erreur si absent > > PerlOptions +GlobalRequest > > > > PerlSetVar AuthCookieDebug 4 > > > > # In httpd.conf or .htaccess > > > > PerlModule Apache2::AuthCookieDBI > > PerlSetVar WhatEverPath / > > #modif PBo PerlSetVar WhatEverLoginScript /login.pl > > PerlSetVar WhatEverLoginScript /cgi-perl/login.pl > > > > # Optional, to share tickets between servers. > > #invalider PBo PerlSetVar WhatEverDomain .domain.com > > > > # These must be set > > #modif PBo PerlSetVar WhatEverDBI_DSN "DBI:mysql:database=test" > > PerlSetVar WhatEverDBI_DSN DBI:mysql:authSrv:localhost > > PerlSetVar > >

>

WhatEverDBI_SecretKey "489e5eaadb3208f9ad8792ef4afca7359e666b0206a9c92ac Show quoted text

> > 877e73ce835c" > > > > # These are optional, the module sets sensible defaults. > > PerlSetVar WhatEverDBI_User root > > PerlSetVar WhatEverDBI_Password pateli > > PerlSetVar WhatEverDBI_UsersTable users > > PerlSetVar WhatEverDBI_UserField user > > PerlSetVar WhatEverDBI_PasswordField password > > PerlSetVar WhatEverDBI_CryptType none > > PerlSetVar WhatEverDBI_GroupsTable groupes > > PerlSetVar WhatEverDBI_GroupField groupe > > PerlSetVar WhatEverDBI_GroupUserField user > > PerlSetVar WhatEverDBI_EncryptionType none > > PerlSetVar WhatEverDBI_SessionLifetime 00-01-00-00 > > > > # Protected by AuthCookieDBI. > > #modif PBo > > <Directory "/srv/www/htdocs"> > > AuthType Apache2::AuthCookieDBI > > > > # set this to whatever, but the PerlSetVar's must match it. > > # Mettre ce que vous voulez, mais le PerlSetVar doit > > correspondre. > > AuthName WhatEver > > PerlAuthenHandler Apache2::AuthCookieDBI->authenticate > > PerlAuthzHandler Apache2::AuthCookieDBI->authorize > > #Require valid-user invalidé avec fonction group demandé > > Require valid-user > > > > # AllowOverride controls what directives may be placed > > in .htaccess files. > > # It can be "All", "None", or any combination of the

keywords: Show quoted text

> > # Options FileInfo AuthConfig Limit > > AllowOverride None > > # Require group Administrator mis dans .htaccess > > > > # Login location. en dehors de "<Directory xxx>" pour > > subdirectory > > <Files LOGIN> > > AuthType Apache2::AuthCookieDBI > > AuthName WhatEver > > SetHandler perl-script > > PerlHandler Apache2::AuthCookieDBI->login > > #rajout PBo > > Allow from all > > Satisfy any > > </Files> > > </Directory> > > > > Please, It works but I would like to know if it's THE real solution. > > If this bad modification correct the first one and it works finally. > > Because to protect a subdirectory, those modification are not

> necessary. > > > Sorry, I forgot the error_log file with https connection: > [Fri Nov 20 17:23:20 2009] [notice] Apache/2.2.13 (Linux/SUSE) > mod_ssl/2.2.13 OpenSSL/0.9.8k PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0 > configured -- resuming normal operations > [Fri Nov 20 17:23:56 2009] [error] auth_type Apache2::AuthCookieDBI > [Fri Nov 20 17:23:56 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7905484) authtype=Apache2::AuthCookieDBI > [Fri Nov 20 17:23:56 2009] [error] auth_name WhatEver > [Fri Nov 20 17:23:56 2009] [error] ses_key_cookie > [Fri Nov 20 17:23:56 2009] [error] uri / > [Fri Nov 20 17:24:04 2009] [error] Converting POST -> GET > [Fri Nov 20 17:24:04 2009] [error] credential_0 myNAME > [Fri Nov 20 17:24:04 2009] [error] credential_1 myPASS > [Fri Nov 20 17:24:04 2009] [error] ses_key myNAME:2009-11-20-17-24- > 04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff > [Fri Nov 20 17:24:04 2009] [error] redirect to / > [Fri Nov 20 17:24:04 2009] [error] auth_type Apache2::AuthCookieDBI > [Fri Nov 20 17:24:04 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7905484) authtype=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:04 2009] [error] auth_name WhatEver > [Fri Nov 20 17:24:04 2009] [error] ses_key_cookie myNAME:2009-11-20-

17- Show quoted text

> 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff > [Fri Nov 20 17:24:04 2009] [error] uri / > [Fri Nov 20 17:24:04 2009] [error] user authenticated as myNAME > [Fri Nov 20 17:24:04 2009] [error] authorize() for / > [Fri Nov 20 17:24:04 2009] [error] authorize user=myNAME > type=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:04 2009] [error] requirement := valid-user, > [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7905484) authtype=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver > [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-

17- Show quoted text

> 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff > [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME > [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME > type=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user, > [Fri Nov 20 17:24:12 2009] [error] [client 192.168.0.96] PHP

Warning: Show quoted text

> phpinfo(): It is not safe to rely on the system's timezone settings. > You are *required* to use the date.timezone setting or the > date_default_timezone_set() function. In case you used any of those > methods and you are still getting this warning, you most likely > misspelled the timezone identifier. We selected 'Europe/Berlin' > for 'CET/1.0/no DST' instead in /srv/www/htdocs/infoPhp.php on line 2 > [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb79095c4) authtype=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver > [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-

17- Show quoted text

> 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff > [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME > [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME > type=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user, > [Fri Nov 20 17:24:12 2009] [error] auth_type Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] r=Apache2::RequestRec=SCALAR > (0xb7905484) authtype=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] auth_name WhatEver > [Fri Nov 20 17:24:12 2009] [error] ses_key_cookie myNAME:2009-11-20-

17- Show quoted text

> 24-04:2009-11-20-17-25-04::777ae50a1de5d224798344cee914d3ff > [Fri Nov 20 17:24:12 2009] [error] uri /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] user authenticated as myNAME > [Fri Nov 20 17:24:12 2009] [error] authorize() for /infoPhp.php > [Fri Nov 20 17:24:12 2009] [error] authorize user=myNAME > type=Apache2::AuthCookieDBI > [Fri Nov 20 17:24:12 2009] [error] requirement := valid-user, >

Have you done some investigations and do you agree those conf files?

Tue Nov 24 18:56:50 2009 matisse [...] spamcop.net - Correspondence added

On Tue Nov 24 17:10:46 2009, PatrickB wrote: Show quoted text

> > Have you done some investigations and do you agree those conf files?

I apologize - I have not yet set up another server. This coming weekend is a holiday weekend for us so I hope to have more time to do this. -M

Wed Nov 25 13:54:00 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mar. Nov. 24 18:56:50 2009, MATISSE a écrit : Show quoted text

> On Tue Nov 24 17:10:46 2009, PatrickB wrote:

> > > > Have you done some investigations and do you agree those conf files?

> > I apologize - I have not yet set up another server. > This coming weekend is a holiday weekend for us so I hope to have more > time to do this. > > -M

No problem, no problem. Are you living in North or South of California? Because in my calendar, the next week end is not a public holiday. Is it special to your region? But anyway have a good weekend. Patrick

Wed Nov 25 17:10:13 2009 matisse [...] spamcop.net - Correspondence added

On Wed Nov 25 13:54:00 2009, PatrickB wrote: Show quoted text

> Are you living in North or South of California? Because in my calendar, > the next week end is not a public holiday. Is it special to your region? > But anyway have a good weekend.

I'm in San Francisco. Tomorrow, Thursday is a national US holiday and many institutions are closed for Thursday and Friday, making for a long (4-day) weekend.

Thu Nov 26 15:07:38 2009 patrick.bo [...] laposte.net - Correspondence added

Le Mer. Nov. 25 17:10:13 2009, MATISSE a écrit : Show quoted text

> On Wed Nov 25 13:54:00 2009, PatrickB wrote: >

> > Are you living in North or South of California? Because in my

calendar, Show quoted text

> > the next week end is not a public holiday. Is it special to your

region? Show quoted text

> > But anyway have a good weekend.

> > I'm in San Francisco. Tomorrow, Thursday is a national US holiday and > many institutions are closed for Thursday and Friday, making for a

long Show quoted text

> (4-day) weekend.

Nice, very nice a long week end.

Sat Nov 28 14:49:32 2009 matisse [...] spamcop.net - Correspondence added 60 min

I have been able to reproduce the problem, and I think I might have found a more simple fix for it, but I do not yet understand what is really happening. Here is the more simple fix: It is OK to have the <Files LOGIN> section outside of the <Directory ...> section, but you add "Satisfy any" inside the <Files LOGIN> section, like this: <Files LOGIN> AuthType Apache2::AuthCookieDBI AuthName WhatEver SetHandler perl-script PerlHandler Apache2::AuthCookieDBI->login Satisfy any </Files> With the "Satisfy any" the problem stops, but I don't understand why. According to the documentation (http://httpd.apache.org/docs/2.2/mod/core.html#satisfy) "This directive is only useful if access to a particular area is being restricted by both username/password and client host address." But there must be something else going on. Please try this solution and let me know if it also works for you. At a minimum I can update the documentation.

Sun Nov 29 15:09:39 2009 patrick.bo [...] laposte.net - Correspondence added

Le Sam. Nov. 28 14:49:32 2009, MATISSE a écrit : Show quoted text

> I have been able to reproduce the problem, and I think I might have > found a more simple fix for it, but I do not yet understand what is > really happening. > > Here is the more simple fix: > > It is OK to have the <Files LOGIN> section outside of the <Directory > ...> section, but you add "Satisfy any" inside the <Files LOGIN> > section, like this: > > <Files LOGIN> > AuthType Apache2::AuthCookieDBI > AuthName WhatEver > SetHandler perl-script > PerlHandler Apache2::AuthCookieDBI->login > Satisfy any > </Files> > > With the "Satisfy any" the problem stops, but I don't understand why. > According to the documentation > (http://httpd.apache.org/docs/2.2/mod/core.html#satisfy) > "This directive is only useful if access to a particular area is being > restricted by both username/password and client host address." > > But there must be something else going on. > > > Please try this solution and let me know if it also works for you. > > At a minimum I can update the documentation. >

Okay, thank you. I try and I inform you

Tue Dec 01 14:17:07 2009 patrick.bo [...] laposte.net - Correspondence added

Le Dim. Nov. 29 15:09:39 2009, PatrickB a écrit : Show quoted text

> Le Sam. Nov. 28 14:49:32 2009, MATISSE a écrit :

> > I have been able to reproduce the problem, and I think I might have > > found a more simple fix for it, but I do not yet understand what is > > really happening. > > > > Here is the more simple fix: > > > > It is OK to have the <Files LOGIN> section outside of the <Directory > > ...> section, but you add "Satisfy any" inside the <Files LOGIN> > > section, like this: > > > > <Files LOGIN> > > AuthType Apache2::AuthCookieDBI > > AuthName WhatEver > > SetHandler perl-script > > PerlHandler Apache2::AuthCookieDBI->login > > Satisfy any > > </Files> > > > > With the "Satisfy any" the problem stops, but I don't understand

why. Show quoted text

> > According to the documentation > > (http://httpd.apache.org/docs/2.2/mod/core.html#satisfy) > > "This directive is only useful if access to a particular area is

being Show quoted text

> > restricted by both username/password and client host address." > > > > But there must be something else going on. > > > > > > Please try this solution and let me know if it also works for you. > > > > At a minimum I can update the documentation. > >

> > Okay, thank you. > I try and I inform you >

It works... Tell me what I can do.

Tue Dec 01 14:33:51 2009 matisse [...] spamcop.net - Correspondence added

On Tue Dec 01 14:17:07 2009, PatrickB wrote: Show quoted text

> It works... > Tell me what I can do.

You could create some changes to the documentation that describe this - that you must include Satisfy any in the <Files LOGIN> section if you want to protect the entire document root.

Sat Dec 18 21:00:43 2010 matisse [...] spamcop.net - Status changed from 'open' to 'resolved'

Sat Dec 18 21:00:43 2010 matisse [...] spamcop.net - Fixed in 2.13 added

Sat Dec 18 21:00:43 2010 matisse [...] spamcop.net - Fixed in 2.05 deleted