Hi there,
I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"
The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:
MyServer-user=testusr&MyServer-pw=testpwd
How can I made my Login more safely?
My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2
Here is my current Configuration:
<Location /login>
SetHandler form-login-handler
AuthFormLoginRequiredLocation /index.php
AuthFormLoginSuccessLocation /xxx/login.php
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "SVR"
AuthFormProvider dbd
Session On
#SessionCryptoPassphrase secret
SessionCookieName session path=/
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"
# return user to referring page (if any) after
# successful login
AuthzDBDLoginToReferer On
</Location>
<Directory "xxx/xxx">
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "SVR"
AuthFormProvider dbd
AuthFormLoginRequiredLocation /index.php
Session On
#SessionCryptoPassphrase secret
SessionCookieName session path=/
# core authorization configuration
Require valid-user
# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
ErrorDocument 401 /loginfail.php
<Files login.php>
# don't require user to already be logged in!
AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"
# dbd-login action executes a statement to log user in
Require dbd-login
AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"
# return user to referring page (if any) after
# successful login
#AuthzDBDLoginToReferer On
</Files>
</Directory>
I also tried
Session On
SessionCookieName session path=/
SessionCryptoPassphrase secret
instead of
Session On
SessionCookieName session path=/
But then, after I press my Loginbutton, I get a Error in the Browser:
The connection to the server was reset while the page was loading.
And in the Adressrow I see, that the position is
myserver/login
I hope you understand my problem and my english is not that bad.