Geek Answers Handbook

An example of using AuthType Digest to authenticate a user once through subdomains?

I have a domain that a small private group of people will access. Therefore, I want to control access through authentication.

The domain has a set of installed applications, each of which has its own subdomain. For example: domain.com, app1.domain.com, app2.domain.com, app3.domain.com

I would like to have one login solution so that they cannot be authenticated for each application. In addition, applications are written in different languages ​​(PHP, Python and Perl), so user authentication through the Apache module is ideal.

I'm new to digesting authentication, but this seems like a good solution. I used htdigest to create my users. I configured my domain and subdomains (see below).

If I go to a domain or any of the subdomains, he will offer to enter a username and password. If I enter the correct username and password, it will authenticate me and the page will load. However, if I move to another subdomain, he will ask me to enter my username and password again. If I enter the same username and password, it will work.

So, the password file is fine, and authentication is fine, but the problem seems to be the configuration of AuthDigestDomain .

I searched all over the network to find an example of using Digest authentication for multiple domains, but I cannot find a specific example that solves my problem.

I hope someone here can help. Do I put the same authentication information in every Directory ? Should I use Directory or Location or Files ? Did I miss something together?

Thanks in advance!

The following is an example of my Apache configuration for domain.com:

 <Directory /var/www> AuthType Digest AuthName "realm" AuthDigestAlgorithm MD5 AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/ AuthDigestNcCheck Off AuthDigestNonceLifetime 0 AuthDigestQop auth AuthDigestProvider file AuthUserFile /etc/apache2/.htpasswd-digest AuthGroupFile /dev/null Require valid-user </Directory>

And here is an example of app1.domain.com:

 <Directory /var/lib/app1> AuthType Digest AuthName "realm" AuthDigestAlgorithm MD5 AuthDigestDomain / http://domain.com/ http://app1.domain.com/ http://app2.domain.com/ http://app3.domain.com/ AuthDigestNcCheck Off AuthDigestNonceLifetime 0 AuthDigestQop auth AuthDigestProvider file AuthUserFile /etc/apache2/.htpasswd-digest AuthGroupFile /dev/null Require valid-user </Directory>

To further distort the situation, this works when using IE6, but not Firefox or Chrome. Are clients that do not send authentication properly, or is this server not sending the correct credentials?

I also read RFC 2617 and wrote authentication headers using PHP to ensure that the request / response is correct. It did not help!

+4
source share
3 answers

Most browsers do not respect the "Domain" directive and will not resend credentials for other URIs. As far as I know, Opera is the only browser that distinguishes it.

For Opera, the server should respond with the same "realm" line for each URI in the domain list. In other words, if domain = "/ test / example", the server should send "Test Realm-example.com" in the WWW-Authenticate header for both of these URIs. I suppose Opera does this because instead of looking at security for H, it stores H (A1). Read more in RFC2617.

Here is my cross-browser solution to this problem: http://travisce.com/arest/

+3
source

I have no experience with something like that. But I just looked at the Apache documentation and found this:

The AuthDigestNonceLifetime directive determines how long a nonce server has been valid. [...] If seconds are less than 0, then nonce will never expire.

So, it seems to me that 0 seconds (the value you are using) is either illegal, or it really tells Apache that it will expire in 0 seconds, which accurately explains the behavior you get.

0
source

Can a wildcard on AuthDigestDomain help?

  * .domain.com
0
source

More articles:


All Articles