mod_pubcookie uses the following run-time configuration directives:
Important Note: If you put the LoadModule and AddModule within <IfDefine HAVE_SSL>, you will need to put any httpd.conf configuration directives within <IfDefine HAVE_SSL>, or apachectl restart and apachectl configtest will fail.
Syntax: AuthType type
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie
and Apache 1.2 and later.
This directive selects the type of user authentication applied to a resource. It must be accompanied by a require directive when used with an authentication type handled by mod_pubcookie.
The type is case-insensitive and can be any name defined by PubcookieAuthTypeNames or supported as an existing core AuthType (e.g. Basic).
Syntax: PubcookieInactiveExpire
expire-time-in-seconds
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The duration of inactivity allowed between a user and an application before the session expires. Expiration due to inactivity causes a loop thru the login server to obtain a new granting cookie.
The default value is 30 minutes which is defined as PBC_DEFAULT_INACT_EXPIRE in pbc_config.h. Minimium inactivity timeout is five minutes.
A value of -1 turns off the check for inactivity.
Syntax: PubcookieHardExpire
expire-time-in-seconds
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The maximum duration of an application session, regardless of user activity. Expiration due to reaching the hard timeout causes a loop thru the login server to obtain a new granting cookie.
The default value is eight hours which is defined as PBC_DEFAULT_HARD_EXPIRE in pbc_config.h. The minimium is one hour; the maximium is twelve hours.
Syntax: PubcookieAppID
application-name
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The name of the application. The default is the directory path.
Use of this directive may require that you set AllowOverride All in httpd.conf.
Syntax: PubcookieDirDepthforAppID
depth
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
Allows you to limit the length of default AppIDs to a specific number of directories.
The depth is the number of directories that the AppID will be truncated to. e.g.:
| / | 0 |
| /blah/ | 1 |
| /blah/asdf/ | 2 |
This directive has no effect if PubcookieAppID is specified.
Syntax: PubcookieAppSrvID AppServerID
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
Allows you to specify an AppSrvID string, instead of using the default based on your ServerName.
Syntax: PubcookieLogin
url-of-login-server
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The location of the login cgi on the pubcookie login server.
The default is https://weblogin.washington.edu/ which is defined as PBC_LOGIN_URI in pbc_config.h.
Syntax: PubcookieGrantingCertfile
filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The name of the file containing the login server's certificate used to verify granting cookies.
The default is /usr/local/pubcookie/pubcookie_granting.cert which is defined as PBC_G_CERTFILE in pbc_config.h.
Syntax: PubcookieSessionKeyfile
filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The name of the file containing the key for session cookies.
The default is /usr/local/pubcookie/pubcookie_session.key which is defined as PBC_S_KEYFILE in pbc_config.h.
Syntax: PubcookieSessionCertfile
filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later.
The name of the file containing the certificate for session cookies.
The default is /usr/local/pubcookie/pubcookie_session.cert which is defined as PBC_S_CERTFILE in pbc_config.h.
Syntax: PubcookieCryptKeyfile filename
Context: server config, virtual host
Compatibility: All versions of mod_pubcookie and
Apache 1.2 and later
The name of the file containing the shared key for encrypting/decrypting cookies.
The default is /usr/local/pubcookie/c_key which is defined as PBC_CRYPT_KEYFILE in pbc_config.h.
Syntax: PubcookieEndSession redirect | clearLogin |
on | off
Context: server config, virtual host, directory,
.htaccess
Compatibility: Versions of mod_pubcookie 1.69
and later and Apache 1.3 and later.
This directive is used to end an application session. It should be placed in a child directory or explicitly have the same PubcookieAppID as the application it is going to affect. (E.g., if /webapp/ defines the AuthType directive, then /webapp/logout/ would typically be used to define PubcookieEndSession.)
With arguments on, redirect, and clearLogin the session cookie is cleared. Re-requesting the resource will require a trip to the login server to retrieve a new granting cookie. Note: session cookies of other applications are not cleared by the PubcookieEndSession directive, only the session cookie applicable to the scope of the current application.
After clearing the session cookie, the redirect and clearLogin arguments redirect the browser back to the login server which generates a response page. The clearLogin argument also causes the login server to clear the user's login cookie.
The off argument turns off all PubcookieEndSession functionality.
Syntax: PubcookieSessionCauseReAuth on|off
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie
and Apache 1.2 and later.
When set to on, the PubcookieSessionCauseReAuth directive overrides the login server's single sign-on functionality, forcing each user to re-enter credentials when requesting an application for the first time or when a session timeout has occurred.
Syntax: PubcookieAuthTypeNames name1 [name2
...]
Context: server config, virtual host, directory
Compatibility: Versions of mod_pubcookie 1.77
and higher and Apache 1.3 and later.
This directive names the new authentication types added by mod_pubcookie to the AuthType directive. For example, PubcookieAuthTypeNames EGNetID allows you to use AuthType EGNetID.
The ordered list of the names maps each new authentication type directly to an intrinsic Pubcookie credential type: name1 is credential type "1", name2 is credential type "2", and so on. This is how Pubcookie ties each AuthType to a different "login flavor" handled by the login server. Of course, most sites have only one login flavor, the basic flavor, and therefore only need to specify one name. Note: if necessary, a value of null can be used to define an unused position in the ordered list of PubcookieAuthTypeNames.
PubcookieAuthTypeNames is required in mod_pubcookie 1.77 and higher. All users upgrading to mod_pubcookie 1.77 or higher must add this directive to their server configuration.
Syntax: PubcookieAddlRequest
opt1=val1 [opt2=val2...]
Context: server config, virtual host,
directory, .htaccess
Compatibility: Versions of mod_pubcookie
3.0 and higher and Apache 1.3 and later.
This directive allows the application to give arbitrary requests to the login server. The directive causes the following options to be sent to the login server along with authentication requests.
Currently, it is site-defined what options cause what sort of responses from the login server and how these responses are returned. Eventually, there will be a standardized mechanism for returning answers. Likely they will be returned in extensions to the granting response and set as environment variables.
Syntax: PubcookieSuperDebug on|off
Context: server config, virtual host, directory,
.htaccess
Compatibility: All versions of mod_pubcookie
and Apache 1.2 and later.
This directive is deprecated in version 3.0.0 and higher. Use the LogLevel directive for debugging.