Apache2 mod_auth_form and OTP

Posted: 9th febbraio 2018 by luca in Software

Download

Languages: C
Original Author: not idea – Apache Software Foundation (ASF)
Description: This module allows the use of an HTML login form to restrict access by looking up users in the given providers. HTML forms require significantly more configuration than the alternatives, however an HTML login form can provide a much friendlier experience for end users.

With this small patch, a support for OTP as separated field in the authentication form has been added.
There are have been added two new configuration parameters realated to mod_auth_form, that is:

AuthFormOtp = Allows to set field name containing OTP value (e.g. AuthFormPassword) [default value httpd_otp]
AuthFormOtpReuse = If activated, the OTP is reused for any http request (retrieving from cookie if necessary) [default value off]

The functioning is simple; if in the HTTP POST the field httpd_otp does not exist, the mod_auth_form module works normally, on the other hand if it is present, the password and OTP will merge and the result will be sent to the chosen authentication provider.

The session data will be saved by keeping user, password and OTP separated.

Be careful, OTP and password are put together ONLY if the autentication comes from form, hence HTTP POST, if the re-authentication occurs through session (e.g. cookie), the OTP is ignored because it is supposedly expired.
This operation mode could be modified through AuthFormOtpReuse configuration options (see above).