Pubcookie Apache Module - Configuration Directives

Pubcookie Home > Documentation

Pubcookie Apache Module
Configuration Directives

Component:	mod_pubcookie
Audience:	All
Modified:	May 22, 2003

mod_pubcookie uses the following run-time configuration directives:

Important Note: If you put the LoadModule and AddModule within <IfDefine HAVE_SSL>, you will need to put any httpd.conf configuration directives within <IfDefine HAVE_SSL>, or apachectl restart and apachectl configtest will fail.

AuthType
PubcookieInactiveExpire
PubcookieHardExpire
PubcookieAppID
PubcookieDirDepthforAppID
PubcookieAppSrvID
PubcookieLogin
PubcookieDomain
PubcookieGrantingCertfile
PubcookieSessionKeyfile
PubcookieSessionCertfile
PubcookieCryptKeyfile
PubcookieEndSession
PubcookieSessionCauseReAuth
PubcookieAuthTypeNames
PubcookieAddlRequest
PubcookieSuperDebug

AuthType directive

Syntax: AuthType type
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

This directive selects the type of user authentication applied to a resource. It must be accompanied by a require directive when used with an authentication type handled by mod_pubcookie.

The type is case-insensitive and can be any name defined by PubcookieAuthTypeNames or supported as an existing core AuthType (e.g. Basic).

PubcookieInactiveExpire directive

Syntax: PubcookieInactiveExpire expire-time-in-seconds
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The duration of inactivity allowed between a user and an application before the session expires. Expiration due to inactivity causes a loop thru the login server to obtain a new granting cookie.

The default value is 30 minutes which is defined as PBC_DEFAULT_INACT_EXPIRE in pbc_config.h. Minimium inactivity timeout is five minutes.

A value of -1 turns off the check for inactivity.

PubcookieHardExpire directive

Syntax: PubcookieHardExpire expire-time-in-seconds
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The maximum duration of an application session, regardless of user activity. Expiration due to reaching the hard timeout causes a loop thru the login server to obtain a new granting cookie.

The default value is eight hours which is defined as PBC_DEFAULT_HARD_EXPIRE in pbc_config.h. The minimium is one hour; the maximium is twelve hours.

PubcookieAppID directive

Syntax: PubcookieAppID application-name
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The name of the application. The default is the directory path.

Use of this directive may require that you set AllowOverride All in httpd.conf.

PubcookieDirDepthforAppID directive

Syntax: PubcookieDirDepthforAppID depth
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

Allows you to limit the length of default AppIDs to a specific number of directories.

The depth is the number of directories that the AppID will be truncated to. e.g.:

/	0
/blah/	1
/blah/asdf/	2

This directive has no effect if PubcookieAppID is specified.

PubcookieAppSrvID directive

Syntax: PubcookieAppSrvID AppServerID
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

Allows you to specify an AppSrvID string, instead of using the default based on your ServerName.

PubcookieLogin directive

Syntax: PubcookieLogin url-of-login-server
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The location of the login cgi on the pubcookie login server.

The default is https://weblogin.washington.edu/ which is defined as PBC_LOGIN_URI in pbc_config.h.

PubcookieDomain directive

Syntax: PubcookieDomain domain
Context: server config, virtual host
Compatibility: Versions of mod_pubcookie 3.0.0 and higher and Apache 1.2 and later.

The DNS domain under which all hosts will live. It must be at least a second level domain (e.g. example.edu); used to scope "granting" cookies for communication between the login server and application servers.

PubcookieGrantingCertfile directive

Syntax: PubcookieGrantingCertfile filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The name of the file containing the login server's certificate used to verify granting cookies.

The default is /usr/local/pubcookie/pubcookie_granting.cert which is defined as PBC_G_CERTFILE in pbc_config.h.

PubcookieSessionKeyfile directive

Syntax: PubcookieSessionKeyfile filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The name of the file containing the key for session cookies.

The default is /usr/local/pubcookie/pubcookie_session.key which is defined as PBC_S_KEYFILE in pbc_config.h.

PubcookieSessionCertfile directive

Syntax: PubcookieSessionCertfile filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

The name of the file containing the certificate for session cookies.

The default is /usr/local/pubcookie/pubcookie_session.cert which is defined as PBC_S_CERTFILE in pbc_config.h.

PubcookieCryptKeyfile directive

Syntax: PubcookieCryptKeyfile filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later

The name of the file containing the shared key for encrypting/decrypting cookies.

The default is /usr/local/pubcookie/c_key which is defined as PBC_CRYPT_KEYFILE in pbc_config.h.

PubcookieEndSession directive

Syntax: PubcookieEndSession redirect | clearLogin | on | off
Context: directory, .htaccess
Compatibility: Versions of mod_pubcookie 1.69 and later and Apache 1.3 and later.

This directive is used to end an application session. It should be placed in a child directory or explicitly have the same PubcookieAppID as the application it is going to affect. (E.g., if /webapp/ defines the AuthType directive, then /webapp/logout/ would typically be used to define PubcookieEndSession.)

With arguments on, redirect, and clearLogin the session cookie is cleared. Re-requesting the resource will require a trip to the login server to retrieve a new granting cookie. Note: session cookies of other applications are not cleared by the PubcookieEndSession directive, only the session cookie applicable to the scope of the current application.

After clearing the session cookie, the redirect and clearLogin arguments redirect the browser back to the login server which generates a response page. The clearLogin argument also causes the login server to clear the user's login cookie.

The off argument turns off all PubcookieEndSession functionality.

PubcookieSessionCauseReAuth directive

Syntax: PubcookieSessionCauseReAuth on|off
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

When set to on, the PubcookieSessionCauseReAuth directive overrides the login server's single sign-on functionality, forcing each user to re-enter credentials when requesting an application for the first time or when a session timeout has occurred.

PubcookieAuthTypeNames directive

Syntax: PubcookieAuthTypeNames name1 [name2 ...]
Context: server config, virtual host, directory
Compatibility: Versions of mod_pubcookie 1.77 and higher and Apache 1.3 and later.

This directive names the new authentication types added by mod_pubcookie to the AuthType directive. For example, PubcookieAuthTypeNames EGNetID allows you to use AuthType EGNetID.

The ordered list of the names maps each new authentication type directly to an intrinsic Pubcookie credential type: name1 is credential type "1", name2 is credential type "2", and so on. This is how Pubcookie ties each AuthType to a different "login flavor" handled by the login server. Of course, most sites have only one login flavor, the basic flavor, and therefore only need to specify one name. Note: if necessary, a value of null can be used to define an unused position in the ordered list of PubcookieAuthTypeNames.

PubcookieAuthTypeNames is required in mod_pubcookie 1.77 and higher. All users upgrading to mod_pubcookie 1.77 or higher must add this directive to their server configuration.

PubcookieAddlRequest directive

Syntax: PubcookieAddlRequest opt1=val1 [opt2=val2...]
Context: directory, .htaccess
Compatibility: Versions of mod_pubcookie 3.0 and higher and Apache 1.3 and later.

This directive allows the application to give arbitrary requests to the login server. The directive causes the following options to be sent to the login server along with authentication requests.

Currently, it is site-defined what options cause what sort of responses from the login server and how these responses are returned. Eventually, there will be a standardized mechanism for returning answers. Likely they will be returned in extensions to the granting response and set as environment variables.

PubcookieSuperDebug directive

Syntax: PubcookieSuperDebug on|off
Context: directory, .htaccess
Compatibility: All versions of mod_pubcookie and Apache 1.2 and later.

This directive is deprecated in version 3.0.0 and higher. Use the LogLevel directive for debugging.