Print

[casi91]

Hi there,

I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"

The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:

MyServer-user=testusr&MyServer-pw=testpwd

How can I made my Login more safely?

My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2

Here is my current Configuration:

Code: [Select]

<Location /login>
   SetHandler form-login-handler
   AuthFormLoginRequiredLocation /index.php
   AuthFormLoginSuccessLocation /xxx/login.php

   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd   

   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   Session On
   #SessionCryptoPassphrase secret
   SessionCookieName session path=/   

     # don't require user to already be logged in!
       AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

       # dbd-login action executes a statement to log user in
       Require dbd-login
       AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

       # return user to referring page (if any) after
      # successful login
       AuthzDBDLoginToReferer On
</Location>


<Directory "xxx/xxx">
   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd
   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   AuthFormLoginRequiredLocation /index.php
   Session On
   #SessionCryptoPassphrase secret   
   SessionCookieName session path=/

   # core authorization configuration
   Require valid-user

   # mod_authn_dbd SQL query to authenticate a user
   AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
     
   ErrorDocument 401 /loginfail.php

   <Files login.php>
        # don't require user to already be logged in!
          AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

          # dbd-login action executes a statement to log user in
          Require dbd-login
          AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

          # return user to referring page (if any) after
         # successful login
          #AuthzDBDLoginToReferer On
   </Files>
</Directory>

I also tried

Code: [Select]

Session On   
SessionCookieName session path=/
SessionCryptoPassphrase secret
instead of

Code: [Select]

   
Session On   
SessionCookieName session path=/
But then, after I press my Loginbutton, I get a Error in the Browser:

The connection to the server was reset while the page was loading.

And in the Adressrow I see, that the position is

myserver/login

I hope you understand my problem and my english is not that bad.

[casi91]

Hi there

I delete my error-log and rebuild my problem. And now I found this line:

[mpm_winnt:notice] [pid 3552:tid 420] AH00428: Parent: child process exited with status 255 -- Restarting.

So, that says, that the Server actually is restarting.
But how can i figure out why this happens?

[Gregg]

SessionCrypto* requires mod_session_crypto
http://httpd.apache.org/docs/2.4/mod/mod_session_crypto.html

As for why is Apache restarting, you might find your answer in the Windows Event Log. Typically something crashes the child process and the parent restarts them.

[casi91]

Thanks for this hint.
Shame on me, that i didn't saw in the Windows-Eventlog

So, I got new Informations.
The Windows-Eventlog says, that die faulting Application is "httpd.exe"
and the faultig Module is "libaprutil-1.dll"

More (important) Informations are not available.
Any Ideas?

[Gregg]

Typically a faulty 3rd party module. Not so typical is the way APR Util interacts with the system. Some systems do funny things.

Did this start happening after loading mod_session_crypto and not before?
If so, where did you get your Apache and is it VC10 or VC9 build?

[casi91]

The problem happens after I write this row:

Code: [Select]

SessionCryptoPassphrase secret
The mod_session_crypto modul does not fire the problem.
The module is always loaded in my httpd.conf

I got my Version from apachelounge
http://www.apachelounge.com/download/win64/
(I hope i'm allowed to post this link. If not please tell me or remove the link)

and it is the VC10 build

[Gregg]

Yes, it's ok to post URL to Apache Lounge.

I do not have an answer or any more questions for you just at the moment. I am going to have to first learn how to use the auth_form stuff then play around with it a little. I wouldn't believe our binaries would work better than his in this situation but I will not know till I have time to test this on ours.

[Gregg]

Well that was fun .... not!

It works for me. I did not set up a big php login with mysql database however. I just used a quick and dirty .htaccess file.

Your problem may be when connecting to your database, I'd say set up some other area with just AuthFormProvider file and an .htpasswd file and try it there. See if session crypto is working then. If not, problem must be with the Apache Lounge's binaries.

Anyhow, session crypto works for me. I'm not very good with php or mysql so I am not the person to debug that part. Try using session crypto with .htpasswd first, if that works, you might take your problem to the Apache User Support and Discussion mailing list (not any of the others) with this since I see there is no answers to your post over at Apache Lounge. There's a lot of smart people on that users mailing list.

One thing I ran into is using SSI in the login form, if I did that, nothing at all worked. That is a bug that should be fixed in 2.4.4, and I'm going to add the last needed vote to get it into 2.4.4 now.

Oddly, when you first get in the session cookie will show as (none), reload the page and it will show up.

Edit: Removed dead link

[Gregg]

vote, promote
http://svn.apache.org/viewvc?view=revision&revision=1422489

Edit: Backported to what will be 2.4.4
http://svn.apache.org/viewvc?view=revision&revision=1422570

[casi91]

Hi, thanks for your answer.

I will try it without my DB and tell you if it works or not.
If it doesnt work, i will try your binaries.

So, let's start 

[casi91]

so...
i will try out your binaries. Maybe it helps.
I copied your config and i only changed the path.
But the Server seems to turning arround.
Here is the errorlog: (till 08:55:47 everythings fine, but thats only the log for the server start)
And after then, the Server is restarting 2 Times. :-(

The testweb service is restarting.
Starting the testweb service
The testweb service is running.
] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:55:45.001811 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/Apache24'
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 2716
[Mon Dec 17 08:55:46.017221 2012] [auth_digest:notice] [pid 2716:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:47.626256 2012] [mpm_winnt:notice] [pid 2716:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:13.183724 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:13.261832 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:14.011669 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/xxxx'
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 3992
[Mon Dec 17 08:56:15.027073 2012] [auth_digest:notice] [pid 3992:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:17.104746 2012] [mpm_winnt:notice] [pid 3992:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:17.229719 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:17.323448 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:18.010799 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxxx/xxxxx/xxxxx'
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 1572

[casi91]

It's me again.

I downloaded your binaries: http://www.apachehaus.com/cgi-bin/download.plx
(I downloaded the x64 binaries)

but now, when I try to install/start the new apache instance, the Server crashes directly.

Problemsignatur:
  Problemereignisname:   APPCRASH
  Anwendungsname:   httpd.exe
  Anwendungsversion:   2.4.3.0
  Anwendungszeitstempel:   502fde1c
  Fehlermodulname:   MSVCR90.dll
  Fehlermodulversion:   9.0.21022.8
  Fehlermodulzeitstempel:   47313e07
  Ausnahmecode:   c0000005
  Ausnahmeoffset:   000000000001801e
  Betriebsystemversion:   6.1.7601.2.1.0.274.10
  Gebietsschema-ID:   1031
  Zusatzinformation 1:   2870
  Zusatzinformation 2:   2870d298bb95cdaf4fa3d5ad2f2c90ce
  Zusatzinformation 3:   25ea
  Zusatzinformation 4:   25ea0f9b65c97060ce0b97e3bcf0a810

Lesen Sie unsere Datenschutzbestimmungen online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0407

Wenn die Onlinedatenschutzbestimmungen nicht verf?gbar sind, lesen Sie unsere Datenschutzbestimmungen offline:
  C:\Windows\system32\de-DE\erofflps.txt

[casi91]

I've tried to install the Apache x86 on my Local PC, and what should I say...it works. (tested without DB)
So the problem only exists on the Windows 2008 R2 Server with the x64 binaries.
:-(

[casi91]

And it's me again.
Sorry for the spam.

I downloaded the x64 binaries again and install the apache in the root instead of a new folder and now the testlogin (without db but with crypto) works.
puh...a lot of work for such a small win.

Now I'll try again to install it in the folder I created for.
And if it works, I'll go step by step to the final configuration.
I'll write my results soon :-)

And again, thanks for support

[Gregg]

Well, I'm glad you are getting there, so your experiences with this are not spam, just verbose experimentation