logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: security problem, auth_form and authn_dbd
Author
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Fri 07 Dec '12 11:49    Post subject: security problem, auth_form and authn_dbd Reply with quote
Hi there,

I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"

The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:
Quote:
MyServer-user=testusr&MyServer-pw=testpwd


How can I made my Login more safely?
I hope you understand my problem and my english is not that bad.

My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2

Here is my current Configuration:

Code:

<Location /login>
   SetHandler form-login-handler
   AuthFormLoginRequiredLocation /index.php
   AuthFormLoginSuccessLocation /xxx/login.php

   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd   

   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   Session On
   #SessionCryptoPassphrase secret
   SessionCookieName session path=/    

     # don't require user to already be logged in!
       AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

       # dbd-login action executes a statement to log user in
       Require dbd-login
       AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

       # return user to referring page (if any) after
      # successful login
       AuthzDBDLoginToReferer On
</Location>


<Directory "xxx/xxx">
   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd
   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   AuthFormLoginRequiredLocation /index.php
   Session On
   #SessionCryptoPassphrase secret   
   SessionCookieName session path=/

   # core authorization configuration
   Require valid-user

   # mod_authn_dbd SQL query to authenticate a user
   AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
      
   ErrorDocument 401 /loginfail.php

   <Files login.php>
        # don't require user to already be logged in!
          AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

          # dbd-login action executes a statement to log user in
          Require dbd-login
          AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

          # return user to referring page (if any) after
         # successful login
          #AuthzDBDLoginToReferer On
   </Files>
</Directory>
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692
PostPosted: Fri 07 Dec '12 12:08    Post subject: Reply with quote
At http://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

is written:

The directives Session, SessionCookieName and SessionCryptoPassphrase create an encrypted session stored within an HTTP cookie on the browser. For more information on the different options for configuring a session, read the documentation for mod_session.
Back to top
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Fri 07 Dec '12 12:40    Post subject: Reply with quote
Thanks,
i saw this entry too,
but if i use
Code:
SessionCryptoPassphrase secret


I got a error
Quote:
the connection was closed


and i do not understand why.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 692
PostPosted: Fri 07 Dec '12 12:56    Post subject: Reply with quote
Where do you get the error "the connection was closed" ?

Anything in the error log ?

ps.
Saw the same discussion at Apachefriends.
Back to top
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Fri 07 Dec '12 13:16    Post subject: Reply with quote
Oh sorry,
i get this error in the browser (Firefox).
The error in German: "Die Verbindung zum Server wurde zurückgesetzt, während die Seite geladen wurde."

For a few minutes I watched the error-log after i tried to login, and there was no (new) error-entry.


Very Happy yes, the Discussion at Apachefriends is my Thread too

But more heads more ideas Wink
Back to top
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Mon 10 Dec '12 14:22    Post subject: Reply with quote
No idea,
why i get this error when i use
Code:
SessionCryptoPassphrase secret

?
Back to top
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Thu 13 Dec '12 17:19    Post subject: Reply with quote
Hi there

I delete my error-log and rebuild my problem. And now I found this line:
Quote:
[mpm_winnt:notice] [pid 3552:tid 420] AH00428: Parent: child process exited with status 255 -- Restarting.


So, that says, that the Server actually is restarting.
But how can i figure out why this happens?
Back to top
casi91



Joined: 07 Dec 2012
Posts: 6
Location: Germany
PostPosted: Fri 14 Dec '12 8:06    Post subject: Reply with quote
Hi there,
I got new Informations about my problem.

The Windows-Eventlog says, that die faulting Application is "httpd.exe"
and the faultig Module is "libaprutil-1.dll"

More (important) Informations are not available.
Any Ideas?
Back to top


Reply to topic   Topic: security problem, auth_form and authn_dbd View previous topic :: View next topic
Post new topic   Forum Index -> Apache