Pubcookie Home > Documentation 
Apache Module Overview
Component:  mod_pubcookie
Audience:  All
Modified:  February 20, 2003

Included on this page:

What is mod_pubcookie?

mod_pubcookie is an Apache module, written in C, that uses the Apache API and the OpenSSL cryptography library to add Pubcookie-based authentication to the Apache web server. mod_pubcookie specifically implements the application server component of Pubcookie.

Functionality Review

mod_pubcookie provides the following functionality:

  • user authentication via a separate Pubcookie login server
  • per-application authentication session management
  • per-application inactivity and hard timeouts
  • per-application logout
  • logging

This functionality can be configured server-wide or on a per-application basis via the modules run-time configuration directives.

Authentication Interfaces

Apache's authentication features are traditionally turned on and off by run-time configuration directives. This is no different with mod_pubcookie; it simply extends the types of authentication already handled by Apache to include a site's own Pubcookie-based authentication type(s). See AuthType for details.

mod_pubcookie uses the REMOTE_USER environment variable to make each authenticated user's identity (usually, a username) available to applications.

Authorization Issues

Pubcookie provides authentication not authorization: it identifies who someone is, not what he or she is permitted to do. Therefore, mod_pubcookie leaves authorization decisions up to other modules, and, unless some other specialized authorization module is installed, this means Apache's core module.

Apache's core module is designed to provide authorization for "basic" authentication. Authorization is configured with the require directive. When paired with authentication provided by mod_pubcookie, Apache's core authorization works with one drawback: if Pubcookie-based authentication succeeds but Apache's core authorization fails, Apache will challenge the user to authenticate as if basic authentication had just failed. As a result, most browsers will present the user with a pop-up dialog box, which can be confusing to users who just authenticated themselves (successfully, mind you) via their site's Pubcookie login service. (Of course, these are unauthorized users, so they're going to be dismayed regardless.)

There are two ways to avoid this predicament. First, a site can load a custom authorization module to override authorization by Apache's core module when Pubcookie-based authentication is used. Or, an application can tell the core module that all authenticated users are authorized (that is, use require valid-user) and implement authorization on its own.

Module vs API Approach

mod_pubcookie provides control over authentication as Apache generally does: via run-time configuration directives placed in Apache config files or per-directory .htaccess files. Simiarly, information is passed to applications the usual Apache way: indirectly through environment variables. There is no Pubcookie API in the usual programmatic sense; so there are no library calls that an application must incorporate.

The implication for application design is that authentication is controlled by the layout of an application on the filesystem itself: some directories are Pubcookie-protected and other's aren't. So an application controls what happens to users by directing them to URLs (usually directories) that have the appropriate directives applied to them. Perhaps authentication is required in one directory, logout features in another, and free-reign everywhere else.

Some of the advantages of this module approach are:

  • it performs and scales better since it's done thru the Apache API
  • it works well for applications and static content (e.g. HTML files, images)
  • it offers a solution independent from the languages used to implement applications
  • it requires the inclusion of no external code in applications
  • it promotes consistent use of Pubcookie among applications

[Pubcookie Home Page]
Copyright © 2002-2008 University of Washington
UW Technology Services
Pubcookie Contact Info
Modified: February 20, 2003