[Koha-devel] authentication

[Tonnesen Steve]

Here's my proposal for authentication.  I hope this will help with the
anti-cookie people in the crowd.

Note, after writing all this out, I found a module called mod_auth_tkt
which apparently does most of the cookie part of this.  Might be better to
implement it ourselves, as it makes one less apache configuration problem
on installation.



1.  Every script calls a checkauth($query) routine before doing anything
    else.

2.  checkauth() checks for a $ENV{'REMOTE_USERNAME'} environment variable.
  a.  If one is set, assume that basic authentication of some sort is
      being used
  b.  check that this user is allowed to be running this script.  If not,
      print a warning page and exit (possibly redirect to library home
      page or somesuch?).
  c.  return a zero value and the userid logged in and the script carries
      on.

3.  checkauth() looks for the value of a sessionID cookie in the $query
    hash.
  a.  If it doesn't find one:
    * present a log in screen where the user can enter a username and
      password.
    * The name of the original script and any query parameters are
      stored as hidden query params.
    * authentication script checks the entered username and password
      against a configurable authentication source (eg local mysql table,
      passwd file, ldap, pop server, you name it) and stores the
      sessionID, userid, remote ip address and lastcontact (current time)
      in the sessions database table.
  b.  If it finds one:
    * look up the userid, ip address and lastcontact values from a
      database table (sessions) for this sessionID. If ip address is the
      same, and lastcontact is recent enough for this category of user (eg
      librarians might time out after 30 minutes, patrons after 5 minutes) 
      then return a zero value, the userid logged in, and a cookie to be
      added to the HTML header and the script carries on.
    * If ip address is different, display a warning page and exit.  (Note
      that this doesn't prevent the same user from logging in from two
      different ips simultaneously, as they would normally have different
      sessionIDs.  It just protects (somewhat) against somebody hijacking
      the cookie and the session.
    * If lastcontact time has expired, remove the session from the
      sessions table and display a login screen (as in 3a above).



Modifications to existing scripts consist of calling:

my ($userid,$cookie)=checkauth()

at the top of every script and changing: 

print $input->header;

to

if ($config->{'usecookieauth'}) {
    print $input->header(-cookie->$cookie);
} else {
    print $input->header;
}


Steve.