ArchitectureConsiderations
Mod_authnz_external is a flexible tool for building custom basic authentication systems for the Apache HTTP Server. "Basic Authentication" is a type of authentication built into the HTTP protocol, in which the browser automatically pops up a login box when the user requests a protected resource, and the login ids and passwords entered are checked by Apache. Mod_auth*_external allows the password checking normally done inside Apache to be done by an separate external program running outside of Apache.
As mentioned before, and shown in the diagram above, the password checker program you specify in your config file is then run completely external to Apache as a separate process. It is important to remember that mod_authnz_external handles authentication and authorization checks when accessing a page and has no effect on the resulting page itself. This has a few potentially unexpected side effects:
- You cannot set cookies inside of a password checker script (as you might be accustomed to with PHP, Java, etc. when running your web content). Any existing cookies sent by the browser can be read. Creating cookies here is meaningless, since these are external and have nothing to do with Apache at all
- You cannot create Sessions in PHP or similar scripts. Trying to do so may not throw an error, depending on your PHP/script configuration, but the user will never see the new session because the new cookie is not sent to the user (see point 1 above).
- Please note: while you can read the value of an existing PHPSESSID cookie from an external script, the actual $_SESSION data will not be available from the external script unless PHP's global session.save_path variable and Apache's mod_php (or the php_fcgi setup for the current vhost) session.save_path variable point to the same location. This would depend on your server setup/environment. Other script hosts would have similar considerations.