Hi there,
I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"
The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:
QuoteMyServer-user=testusr&MyServer-pw=testpwd
How can I made my Login more safely?
My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2
Here is my current Configuration:
<Location /login>
SetHandler form-login-handler
AuthFormLoginRequiredLocation /index.php
AuthFormLoginSuccessLocation /xxx/login.php
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "SVR"
AuthFormProvider dbd
Session On
#SessionCryptoPassphrase secret
SessionCookieName session path=/
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"
# return user to referring page (if any) after
# successful login
AuthzDBDLoginToReferer On
</Location>
<Directory "xxx/xxx">
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "SVR"
AuthFormProvider dbd
AuthFormLoginRequiredLocation /index.php
Session On
#SessionCryptoPassphrase secret
SessionCookieName session path=/
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
ErrorDocument 401 /loginfail.php
<Files login.php>
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"
# return user to referring page (if any) after
# successful login
#AuthzDBDLoginToReferer On
</Files>
</Directory>
I also tried
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
instead of
Session On
SessionCookieName session path=/
But then, after I press my Loginbutton, I get a Error in the Browser:
QuoteThe connection to the server was reset while the page was loading.
And in the Adressrow I see, that the position is
Quotemyserver/login
I hope you understand my problem and my english is not that bad.
Hi there
I delete my error-log and rebuild my problem. And now I found this line:
Quote[mpm_winnt:notice] [pid 3552:tid 420] AH00428: Parent: child process exited with status 255 -- Restarting.
So, that says, that the Server actually is restarting.
But how can i figure out why this happens?
SessionCrypto* requires mod_session_crypto
http://httpd.apache.org/docs/2.4/mod/mod_session_crypto.html
As for why is Apache restarting, you might find your answer in the Windows Event Log. Typically something crashes the child process and the parent restarts them.
Thanks for this hint.
Shame on me, that i didn't saw in the Windows-Eventlog
So, I got new Informations.
The Windows-Eventlog says, that die faulting Application is "httpd.exe"
and the faultig Module is "libaprutil-1.dll"
More (important) Informations are not available.
Any Ideas?
Typically a faulty 3rd party module. Not so typical is the way APR Util interacts with the system. Some systems do funny things.
Did this start happening after loading mod_session_crypto and not before?
If so, where did you get your Apache and is it VC10 or VC9 build?
The problem happens after I write this row:
SessionCryptoPassphrase secret
The mod_session_crypto modul does not fire the problem.
The module is always loaded in my httpd.conf
I got my Version from apachelounge
http://www.apachelounge.com/download/win64/ (http://www.apachelounge.com/download/win64/)
(I hope i'm allowed to post this link. If not please tell me or remove the link)
and it is the VC10 build
Yes, it's ok to post URL to Apache Lounge.
I do not have an answer or any more questions for you just at the moment. I am going to have to first learn how to use the auth_form stuff then play around with it a little. I wouldn't believe our binaries would work better than his in this situation but I will not know till I have time to test this on ours.
Well that was fun .... not!
It works for me. I did not set up a big php login with mysql database however. I just used a quick and dirty .htaccess file.
Your problem may be when connecting to your database, I'd say set up some other area with just AuthFormProvider file and an .htpasswd file and try it there. See if session crypto is working then. If not, problem must be with the Apache Lounge's binaries.
Anyhow, session crypto works for me. I'm not very good with php or mysql so I am not the person to debug that part. Try using session crypto with .htpasswd first, if that works, you might take your problem to the Apache User Support and Discussion mailing list (http://httpd.apache.org/lists.html#http-users) (not any of the others) with this since I see there is no answers to your post over at Apache Lounge. There's a lot of smart people on that users mailing list.
One thing I ran into is using SSI in the login form, if I did that, nothing at all worked. That is a bug that should be fixed in 2.4.4, and I'm going to add the last needed vote to get it into 2.4.4 now.
Oddly, when you first get in the session cookie will show as (none), reload the page and it will show up.
Edit: Removed dead link
vote, promote
http://svn.apache.org/viewvc?view=revision&revision=1422489
Edit: Backported to what will be 2.4.4
http://svn.apache.org/viewvc?view=revision&revision=1422570
Hi, thanks for your answer.
I will try it without my DB and tell you if it works or not.
If it doesnt work, i will try your binaries.
So, let's start :)
so...
i will try out your binaries. Maybe it helps.
I copied your config and i only changed the path.
But the Server seems to turning arround.
Here is the errorlog: (till 08:55:47 everythings fine, but thats only the log for the server start)
And after then, the Server is restarting 2 Times. :-(
Quote
The testweb service is restarting.
Starting the testweb service
The testweb service is running.
] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:55:45.001811 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/Apache24'
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 2716
[Mon Dec 17 08:55:46.017221 2012] [auth_digest:notice] [pid 2716:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:47.626256 2012] [mpm_winnt:notice] [pid 2716:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:13.183724 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:13.261832 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:14.011669 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/xxxx'
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 3992
[Mon Dec 17 08:56:15.027073 2012] [auth_digest:notice] [pid 3992:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:17.104746 2012] [mpm_winnt:notice] [pid 3992:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:17.229719 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:17.323448 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:18.010799 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxxx/xxxxx/xxxxx'
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 1572
It's me again.
I downloaded your binaries: http://www.apachehaus.com/cgi-bin/download.plx (http://www.apachehaus.com/cgi-bin/download.plx)
(I downloaded the x64 binaries)
but now, when I try to install/start the new apache instance, the Server crashes directly.
QuoteProblemsignatur:
Problemereignisname: APPCRASH
Anwendungsname: httpd.exe
Anwendungsversion: 2.4.3.0
Anwendungszeitstempel: 502fde1c
Fehlermodulname: MSVCR90.dll
Fehlermodulversion: 9.0.21022.8
Fehlermodulzeitstempel: 47313e07
Ausnahmecode: c0000005
Ausnahmeoffset: 000000000001801e
Betriebsystemversion: 6.1.7601.2.1.0.274.10
Gebietsschema-ID: 1031
Zusatzinformation 1: 2870
Zusatzinformation 2: 2870d298bb95cdaf4fa3d5ad2f2c90ce
Zusatzinformation 3: 25ea
Zusatzinformation 4: 25ea0f9b65c97060ce0b97e3bcf0a810
Lesen Sie unsere Datenschutzbestimmungen online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0407
Wenn die Onlinedatenschutzbestimmungen nicht verf?gbar sind, lesen Sie unsere Datenschutzbestimmungen offline:
C:\Windows\system32\de-DE\erofflps.txt
I've tried to install the Apache x86 on my Local PC, and what should I say...it works. (tested without DB)
So the problem only exists on the Windows 2008 R2 Server with the x64 binaries.
:-(
And it's me again.
Sorry for the spam.
I downloaded the x64 binaries again and install the apache in the root instead of a new folder and now the testlogin (without db but with crypto) works.
puh...a lot of work for such a small win.
Now I'll try again to install it in the folder I created for.
And if it works, I'll go step by step to the final configuration.
I'll write my results soon :-)
And again, thanks for support
Well, I'm glad you are getting there, so your experiences with this are not spam, just verbose experimentation :D
So,
after a long day and a lot of apache configuration, i finally have the Basic-config i want :-)
There are my: login with mod_auth_digest and mod_auth_form and last but not least with mod_auth_dbd and a odbc connection to my database.
Also i've got the connection only over ssl
Today was a good day :-)
Again thanks for your help.
it would be great, if you could post the working config
Oh, of course.
But at first I have to hurry up and finish my Project.
Because in a few days I'm going to get holidays ;)
But when I have enough time this week, I'll post a small config with all necessary code
So,
i hope i didn't forget anything.
Here is the necessary config:
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_dbd_module modules/mod_session_dbd.so
DBDriver odbc
DBDParams "DATASOURCE=DSN, USER=usr, PASSWORD=pwd"
DBDMin 6
DBDKeep 7
DBDMax 10
DBDExptime 400
<Location /logout>
SetHandler form-logout-handler
Order allow,deny
allow from all
AuthFormLogoutLocation /logout.php
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "AuthName"
AuthFormProvider dbd
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/
AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s
# dbd-logout action executes a statement to log user out
Require dbd-logout
AuthzDBDQuery "UPDATE database.table SET login = 'false' WHERE user = %s"
</Location>
<Location /login>
SetHandler form-login-handler
AuthFormLoginRequiredLocation /loginfail.php
AuthFormLoginSuccessLocation /login.php
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthFormProvider dbd
AuthType form
AuthName "AuthName"
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"
# return user to referring page (if any) after
# successful login
AuthzDBDLoginToReferer On
</Location>
<Directory "myDirectory">
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "AuthName"
AuthFormProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s and login = 'true'
ErrorDocument 401 /index.php
<Files login.php>
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"
</Files>
</Directory>
Thanks for coming back with that and Happy Holidays
Hello,
I'd like to notice that I have also the same issue with the x64 binaries.
After having created the Apache Windows service, I'm not able to start it:
"
Faulting application name: httpd.exe, version: 2.4.3.0, time stamp: 0x502fde1c
Faulting module name: MSVCR90.dll, version: 9.0.30729.6161, time stamp: 0x4dace4e7
Exception code: 0xc0000005
Fault offset: 0x000000000001833e
Faulting process id: 0x1a48
Faulting application start time: 0x01cdf3c4b3f36e4a
Faulting application path: C:\E\Installed_programs\apache\httpd\bin\httpd.exe
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: httpd.exe
P2: 2.4.3.0
P3: 502fde1c
P4: MSVCR90.dll
P5: 9.0.30729.6161
P6: 4dace4e7
P7: c0000005
P8: 000000000001833e
P9:
P10:
Attached files:
These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_httpd.exe_e69d22e5adfa4138ebec8d4537d688ce9572caf_10093561
Analysis symbol:
Rechecking for solution: 0
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3
Report Status: 4
"
Could someone help me to solve this issue?
thanks in advance
Regards
Cannot reproduce but I'm not using dbd auth, just simple file.
Casi91 had to revert to x86 binaries to solve the problem.
I'm wondering if both these are due to mod_session_dbd, at least the crash one and showing up mainly in x64.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53452
This bug should be fixed in 2.4.4