mod_authn_tkt provides secure cookie-based authentication for Lighttpd. It is a port of Apache module of the same name.
Basically it works as follows:
More information may be found at the homepage of the original Apache module: http://www.openfusion.com.au/labs/mod_auth_tkt
auth.method.tkt.opts = ( ) all options are collected into a single directive to attempt to keep auth site config and policy together. mod_auth auth.require directive is used to set the authorized users config and to employ mod_authn_tkt
"secret" - string, required secret component of MD5 hash
"secret-old" - string, optional (previous) secret component of MD5 hash
"login-url" - string, required unauthorized requests are redirected to this URI
"timeout-url" - string, default="login-url" requests that send tickets with timestamp older than specified in "timeout" are redirected to this URI
"post-timeout-url" - string, default="timeout_url" requests that send tickets with timestamp older than specified in "timeout" via POST are redirected to this URI
"unauth-url" - string, default="login_url" requests that send tickets without required tokens are redirected to this URI
"timeout" - string, default=7200 period of time before ticket is considered expired (not the same as cookie expiration - it is protected by MD5 hash). Last char of the string may be one of: m, h, d, w, M, y to specify minutes, hours, days, weeks, months and years respectively. With no char the setting is treated to be in seconds.
"timeout-refresh" - float, default=0 From documentation of mod_auth_tkt for Apache: "A number between 0 and 1 indicating whether and how to refresh ticket timestamps. 0 means never refresh (hard timeouts). 1 means refresh tickets every time. .33 (for example) means refresh if less than .33 of the timeout period remains."
"digest-type" - string, default="MD5" Digest used in cookie. "SHA256" or "SHA512" available if module linked with openssl libcrypto
"ignore-ip" - boolean, default=disable If set, client's IP is included in ticket.
"require-ssl" - boolean, default=disable If set, ignore tickets that are sent over clear HTTP
"cookie-secure" - boolean, default=disable Whether to set 'Secure' flag on ticket cookies (default=enabled when "require-ssl" is enabled)
"cookie-name" - string, default="auth_tkt" ticket is set as a cookie with this name
"cookie-domain" - string, default= 'Domain' field of the ticket cookie
"cookie-expires" - string, default=0 'Expires' field of the ticket cookie. Format is the same as "timeout"
"back-cookie-name" - string, optional If set, cookie with this name is used instead of GET parameter, to remember the requested page
"back-arg-name" - string, default=back From documentation of mod_auth_tkt for Apache: "will add a GET parameter to all redirect URLs containing a URI-escaped version of the current requested page e.g. if the requested page is http://www.example.com/index.html and "back-arg-name" is set to 'back', mod_auth_tkt will add a parameter like:
back=http%3A%2F%2Fwww.example.com%2Findex.html
to the "login-url" it redirects to, allowing your login script
to redirect back to the requested page upon successful login."
"guest-user" - string, default="guest" guest username If string contains %U or %U, then that will be substituted in guest username string with random hex chars (1 - 32 hex chars)
"guest-login" - boolean, default=disable permit guest login (if cookie is invalid or missing)
"guest-cookie" - boolean, default=disable create cookie for guestnot supported yet
"guest-fallback" - boolean, default=disable fallback to guest login if cookie expired
"tokens" - list, default=(), optional List of URL-path prefixes and additional required authorization tokens If a URL-path matches a prefix and target list of string is not empty, then user is allowed to access resource only if his/her ticket has any of the specified tokens.
server.modules = ( ... "mod_auth", "mod_authn_tkt", ... )
auth.method.tkt.opts = ( "secret" = "longlonglongsecretkey" "secret-old" = "previously-rotated-longlonglongsecretkey" "login-url" = "https://www.example.org/login.html" "timeout-url" = "https://www.example.org/login.html?timeout=1 " "post-timeout-url" = "https://www.example.org/login.html?posttimeout=1" "unauth-url" = "https://www.example.org/login.html?unauth=1" "timeout" = "20m" "timeout-refresh" = ".25" "digest-type" = "MD5" # "MD5", "SHA256", or "SHA512" "ignore-ip" = "disable" "require-ssl" = "enable" "cookie-secure" = "enable" "cookie-name" = "auth_tkt" "cookie-domain" = "example.org" "cookie-expires" = "20m" "back-arg-name" = "back" "back-cookie-name" = "auth_tkt_back" "guest-user" = "guest-%16U" "guest-login" = "disable" "guest-cookie" = "disable" "guest-fallback" = "disable" "tokens" = ("/protected-folder/protected.txt" => ("token1", "admin"), "/download/" => ("downloader") "/server-info" => ("admin") ) )
auth.require = ( "/download/" => ( "method" => "authn_tkt", "realm" => "ignored-for-authn-tkt", # must be non-empty "require" => "user=agent007|user=agent008" ), "/server-info" => ( # limit access to valid user with "admin" token (above) "method" => "authn_tkt", "realm" => "ignored-for-authn-tkt", # must be non-empty "require" => "valid-user" ) "/protected-folder/" => ( # limit access to valid user # additionally require tokens for protected.txt (above) "method" => "authn_tkt", "realm" => "ignored-for-authn-tkt", # must be non-empty "require" => "valid-user" ) )