So you're running Apache anonymously and off-loading authentication to the app stack, correct?
I've heard "OAuth", but I don't know anything about it. I'll add that to me list to research.
Thanks
-----Original Message-----
From: Richard Schoen [mailto:richard@xxxxxxxxxxxxxxxxx]
Sent: Friday, January 31, 2020 8:20 AM
To: web400@xxxxxxxxxxxxxxxxxx
Subject: Re: [WEB400] Apache authentication efficiency
I have taken the approach of creating a session table after the user authenticates initially.
In the table I usually store the userid, generated session id (guid) a source IP address (can be spoofed, but harder to do) and any other session related values I might want in there.
The session ID and source IP info is usually enough to constitute a valid session (unless IP spoofed) unless you're a banking institution where that might not hold up.
If a hit comes in that's not from a valid session id/ip combo the session is immediately removed from the table and session invalidated on next attempt to access a page or data.
The same concept also works nicely when you want to limit the number of users logged into an app for a particular user ID.
If user logs in a second time from another device you can invalidate their first session.
Feel free to poke holes in this strategy.
I'm always looking for better options and of course OAuth seems to be one of those these days.
Regards,
Richard Schoen
Web:
http://www.richardschoen.net
Email: richard@xxxxxxxxxxxxxxxxx
------------------------------
As an Amazon Associate we earn from qualifying purchases.