

Simple Apache Form Authentication: mod_auth_cookie - drusenko

This module seems to have fallen by the wayside: The previous homepage has gone dark, and I was luckily able to grab the source from archive.org.<p>It's a really great way to set up a simple login form and get rid of the ugly Basic Authentication prompt. You still use Basic Authentication (including a .htpasswd file or mod_auth_mysql, for example), but redirect using a custom 401 handler that shows a login form, that in turn sets the user:password combination as a cookie.<p>On the server, mod_auth_cookie then takes that cookie and fakes the Basic Authentication headers. It's literally so simple, it can be configured with one line on top of Basic Auth:<p>AuthCookieName CookieName<p>I've resurrected the module from the abyss, and hosted a shiny new homepage at http://modauthcookie.weebly.com/
======
xefyr
For the curious, I've had the recent misfortune of working with JBOSS at work;
this sounds identical to how it provides form-based authentication.

For the curious:
[http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicati...](http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationUsingACustomForm)

------
a_caspis
Did it fall out of grace because it was vulnerable to cross-site attacks ? (
<http://en.wikipedia.org/wiki/Cross-site_request_forgery> )

~~~
drusenko
i believe it fell out of grace because the maintainer's page disappeared. and
no, it shouldn't be any more vulnerable to CSRF than a simple session-cookie
system, which is what this basically is.

------
brk
Very cool, I will probably use this at some point soon.

IMO, this is a big part of what makes open source so valuable.

