User authentication using cookies. How??

User authentication using cookies. How??

Post by root.noharvest. » Fri, 17 Jul 1998 04:00:00

>I am interested in setting up a user authentication scheme on our web site.
>The site resides on a Free BSD box running Apache 1.2.6. Here is a description
>of what I would like to have.

First... before I answer your question, this is USENET.  It's not "the
web" so don't put markup on your posting.  This is a plain text medium
here.  <HTML> goes on web pages.


><P>1. Upon entering the site for the first time, a user must accept to
>a subscriber agreement which states they will not use the material for
>commercial purposes. They agree by entering their initials.

><P>2. The user also enters a unique username and password which they will
>use to enter the site.

><P>3. Instead of making the user enter the name and password each visit,
>I would like it to be stored in a cookie on the user's
><BR>computer, so they can be identified easily.

><P>4. If the cookie is deleted from the users computer, or their browser
>does not accept cookies, the user should be able to enter their
><BR>name and password to enter the site.&nbsp;

><P>I would like that all pages within the site are protected.

><P>I have implemented password protection on sites and I have implemented
>cookies on sites. But I have never used the two in

A little creativity here.  Your password protection will most likely
need to be CGI based, unless you want to try something with

With CGI based password protection, your "main page" can be a perl
script (or other) that first looks for the cookie data, if it finds
the cookie string, it decodes it into a filename, which is where you
stored that user's information.  If we've succeeded so far, we just
proceed with whatever content we're dishing out.  If there isn't a
cookie, or if the cookie doesn't match up with data stored on your
site, then you print out a login page.  

Now, with mod_rewrite I think it should be possible to actually
retrieve the cookie information and if found, set the REMOTE_USER
environment variable, which should then cause access to an .htaccess
protected URL to behave as if the user had already logged in.  If you
don't find a cookie with valid information, you don't set the
REMOTE_USER variable and a login prompt should appear.  I think you'll
need to have mod_rewrite use an external script to achieve this, but
it shouldn't be all that hard.


User authentication using cookies. How??

Post by John Robert LoVers » Wed, 22 Jul 1998 04:00:00

Try the Apache module "mod_auth_cookie.c" from

You use basic authentication for your pages, but allow a cookie to
hold the username/password.



1. Cookies for User Authentication

I have been able to write cookies successfully.

Now I want a cookie that will contain a person's username and
password.  This should then allow the user to enter the site without
having to enter their username and password (like hotwired or a
similar site.)

The question is:  How do I make a cookie track this username and
password so that my webserver (apache 1.1.1) doesn't prompt them for
this information again?

All help is appreciated.
Benjamin Fitts

SilverPlatter Education

2. PCI Card access problems (driver)

3. Apache, Oracle, Cookies and User Authentication

4. How to build multi-threaded c++ programs on AIX 4.3.2 with gcc (egcs 2.91.66)

5. user authentication in apache with cookies

6. Login Restriction Problem, Pls help

7. Problem using cookies for Authentication

8. no /bin->./usr/bin ???

9. Apache: using cookies for authentication

10. User authentication using Sybase, and implementing a 3 try lockout

11. apache user authentication using /etc/passwd file ?

12. Using User Authentication

13. Secure user authentication for NFS using RPCSEC_GSS [4/6]