mod_radius, apache2 and the auth cookie.

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

mod_radius, apache2 and the auth cookie.

Palmer J.D.F.
Hi,

Is it possible to set the timeout for the auth cookie used by the mod_radius
authentication module to 0; by Zero I mean no time, not infinite time?

Or, is there a way that I can clear the cookie on a failed login?

At present, if a user login fails the user has to close the browser and open
another in order to be able to re-enter their credentials, I want to try to
get round this if possible.
It doesn't matter that the login will timeout immediately.

Many thanks,
Jezz Palmer.

****************************************
Jezz Palmer.
Internet Systems Officer.
Library and Information Services
University of Wales, Swansea
Singleton Park
Swansea
SA2 8PP
****************************************


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: mod_radius, apache2 and the auth cookie.

Alan DeKok
"Palmer J.D.F." <[hidden email]> wrote:
> Is it possible to set the timeout for the auth cookie used by the mod_radius
> authentication module to 0; by Zero I mean no time, not infinite time?

  You mean re-authenticate for every request?  That would require
source code changes.

> Or, is there a way that I can clear the cookie on a failed login?

  The module doesn't set the cookie on a failed login, so there
shouldn't be any problem.

> At present, if a user login fails the user has to close the browser and open
> another in order to be able to re-enter their credentials, I want to try to
> get round this if possible.

  I don't see why that would happen.  The module was designed, and
tested to work properly in that situation.

  Can you explain more about what you're doing, how, and what browser
you're using?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: mod_radius, apache2 and the auth cookie.

Palmer J.D.F.
In reply to this post by Palmer J.D.F.
Hi Alan,

>
> "Palmer J.D.F." <[hidden email]> wrote:
> > Is it possible to set the timeout for the auth cookie used by the
> mod_radius
> > authentication module to 0; by Zero I mean no time, not infinite time?
>
>   You mean re-authenticate for every request?  That would require
> source code changes.

Effectively yes, see the description of what I'm trying to do below.

> > Or, is there a way that I can clear the cookie on a failed login?
>
>   The module doesn't set the cookie on a failed login, so there
> shouldn't be any problem.

If I get a failed login, then try to login again it just uses cached
credentials and doesn't prompt for details, if I close and re-open the
browser it does then allow me to enter details.
I guess it may not be a cookie if one isn't set, but the credentials are
being cached somewhere.

>
> > At present, if a user login fails the user has to close the browser and
> open
> > another in order to be able to re-enter their credentials, I want to try
> to
> > get round this if possible.
>
>   I don't see why that would happen.  The module was designed, and
> tested to work properly in that situation.
>
>   Can you explain more about what you're doing, how, and what browser
> you're using?

So far this has only been tested with IE on a patched up but otherwise std
XP machine.

The reason for the authentication is to log into a web-redirect gateway.
An iptables rule redirects any un-authenticated IP/MAC pairs to the login
page; on a successful login the page (a php page which resides in a
protected folder) adds some iptables rules to allow that particular client
(IP/MAC pair) through the gateway.
This is why it doesn't matter that there is an instant timeout, as the
client will not need to access the page again until his/her connection times
out and the 'allowing' iptables rules are removed.  The removal of stale
connections is handled with a cron job script that compares iptables entries
to the arp table on the internal interface, if there are iptables rules for
an IP/MAC pair, but no arp entry for them then the iptables rules are
removed.  
Quite crude, but it works.

In summary, I have index.php that users are redirected to, this page
contains a 'Log In' link to a page in a protected folder /gateway/go.php
when they click the link they are challenged for credentials, if they are
correct then /gateway/go.php loads setting some iptables rules, if it fails
then we are currently loading a page called failed.php that explains to the
user that they need to shut down the browser and open a new one and try
again.

An aside to this, is it possible to have a couple of text boxes on the login
page where the user/pass are entered which are then sent to mod_radius, as
opposed to having a pop up user/pass dialogue box?


Thanks,
Jezz Palmer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: mod_radius, apache2 and the auth cookie.

Stefan.Neis@t-online.de
        Hi,

Palmer J.D.F. schrieb:

> If I get a failed login, then try to login again it just
> uses cached
> credentials and doesn't prompt for details, if I close
> and re-open the
> browser it does then allow me to enter details.

Sounds like it might be the browser that's caching the
bad credentials .... :-(

> This is why it doesn't matter that there is an instant
> timeout, as the
> client will not need to access the page again until
> his/her connection times
> out and the 'allowing' iptables rules are removed.

Note that you need to authenticate for every _file_
that's being transferred, so if your page contains
e.g. any graphics (background image, icons, whatever)
an instant timeout _will_ matter.

         Regards,
                     Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: mod_radius, apache2 and the auth cookie.

Alan DeKok
In reply to this post by Palmer J.D.F.
"Palmer J.D.F." <[hidden email]> wrote:
> >   You mean re-authenticate for every request?  That would require
> > source code changes.
>
> Effectively yes, see the description of what I'm trying to do below.

  Was was pointed out, you'll get authentication dialogs for every gif
& jpg on the page.  This is a BAD idea.

> If I get a failed login, then try to login again it just uses cached
> credentials and doesn't prompt for details, if I close and re-open the
> browser it does then allow me to enter details.

  Then your browser is broken.

> So far this has only been tested with IE on a patched up but otherwise std
> XP machine.

  Read the rants in the source code for why IE isn't a web browser.

> The reason for the authentication is to log into a web-redirect gateway.
> An iptables rule redirects any un-authenticated IP/MAC pairs to the login
> page; on a successful login the page (a php page which resides in a
> protected folder) adds some iptables rules to allow that particular client
> (IP/MAC pair) through the gateway.

  There are "captive portal" programs that do this.  Search the net
for them, they'll probably be simpler to set up, and will work with IE.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: mod_radius, apache2 and the auth cookie.

Palmer J.D.F.
In reply to this post by Palmer J.D.F.
Hi,

>   Was was pointed out, you'll get authentication dialogs for every gif
> & jpg on the page.  This is a BAD idea.

The gifs etc are located in an unprotected directory, surely this prevents
from having to re-authenticate for each?

>
> > If I get a failed login, then try to login again it just uses cached
> > credentials and doesn't prompt for details, if I close and re-open the
> > browser it does then allow me to enter details.
>
>   Then your browser is broken.

Firefox and Opera are also broken in that case. :-(

A bit of a dig around reveals this from the Apache site, which implies that
all browsers cache the credentials.
http://httpd.apache.org/docs/howto/auth.html#basicfaq 


Thanks,
Jezz Palmer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: mod_radius, apache2 and the auth cookie.

Kris Benson
FreeRadius users mailing list <[hidden email]> on
August 2, 2005 at 01:55 -0800 wrote:
>Hi,
>
>>   Was was pointed out, you'll get authentication dialogs for every gif
>> & jpg on the page.  This is a BAD idea.
>
>The gifs etc are located in an unprotected directory, surely this prevents
>from having to re-authenticate for each?

In theory, yes.  However, this has been nixed by most browsers, in that
"mixed content" presents a security risk.  Your IE users will see a
message saying "This page contains both secure and non-secure items..." at
least on first connect, the FF users may not even get that -- I don't
recall what happens with mixed content in FF.

>> > If I get a failed login, then try to login again it just uses cached
>> > credentials and doesn't prompt for details, if I close and re-open the
>> > browser it does then allow me to enter details.
>>
>>   Then your browser is broken.
>
>Firefox and Opera are also broken in that case. :-(
>
>A bit of a dig around reveals this from the Apache site, which implies
>that
>all browsers cache the credentials.
>http://httpd.apache.org/docs/howto/auth.html#basicfaq 

It sounds to me like the server isn't sending the correct error code for
auth-failed, thus the browser thinks it's OK to use the old credentials.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: mod_radius, apache2 and the auth cookie.

Alan DeKok
In reply to this post by Palmer J.D.F.
"Palmer J.D.F." <[hidden email]> wrote:
> The gifs etc are located in an unprotected directory, surely this prevents
> from having to re-authenticate for each?

  Yes.

> A bit of a dig around reveals this from the Apache site, which implies that
> all browsers cache the credentials.
> http://httpd.apache.org/docs/howto/auth.html#basicfaq 

  Well, that's changed since I wrote the module.  It's irritating as
heck, too.

  The only solution is to take a hint from mod_securid, and put the
username & password on an auto-generated HTML page, where the browser
won't cache them.

  That would involve a complete re-write of the module, though.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html