jest has asked for the wisdom of the Perl Monks concerning the following question:

Wise monks,

I have a database application that has two levels of authentication: a standard Apache-based authentication to get into the site in the first place, based on IP addresses kept in httpd.conf and then on an htpasswd file if the IP doesn't work, and then an application-level login, based on checking against a database, saving user info (e.g. access levels) in a server-side session with one-hour expiration, and passing a random session ID in a cookie.

Most of my users do not have write/edit access to the database, just read access. They are also in specific corporate locations with fixed IP addresses. I have recently gotten complaints that it's a pain to have to log in all the time to use the database--this should, people think, be necessary only for people making changes.

What would be the best way to set up authentication on this basis? I'm imagining that anyone without a cookie then has their IP address via $ENV{REMOTE_ADDR} checked against a list, and setting a cookie with read-level permissions. Anyone needing a higher access level could go to a login page that will ignore the IP authentication when setting the cookie.

Is this sensible, and secure? Are there other modules or procedures that would be a better way of handling this? And is there any easy way to avoid duplicating the IP list between httpd.conf and the program? There are a number of different access levels stored in a database, it's not just a simple yes or no.

Thank you for any advice.

Replies are listed 'Best First'.
Re: Mixing IP and password authentication
by waswas-fng (Curate) on Jan 17, 2004 at 22:55 UTC
    Use a session. Everyone who access via a allowed IP can use the system. Users that need a elevated access, need to click on a login link that auths them then changes the session keys to show they are elevated.


      That's not fine-grained enough; as I said in my original post, it's not a simple yes or no. I might have several scripts in a particular directory which have differing levels of initial permissions, so a directory-level auth via Apache wouldn't work. Or other things along those lines.

        I am not saying use directory level permissions. My post does not assume a simple level of yes or no auth. I am saying use a session. If the user connects without a valid session pass him the the session creator. If the has access to the base app (via IP or whatever your base auth level is), then grant him a session and redirect back to the page he tried to hit. If the user then needs expanded access have a login page that verifies whatever auth you want and grants auth level tokens and stores them in his current session. This resolves the base users from getting user/pass auths while still allowing you to have fine grained auth privs for advanced users. Then your cgi can take a look at the session and form the pages and options to something that is acceptable for the auth privs that the session grants. Make sense?