mod_clientid  
          

mod_clientid may be used to create a session secret which is stored at the browser within a cookie. The module tries to ensure that this cookie is only used by the client it has been issued for by locking it to additional client attributes such as:

  • IP address
  • SSL session id
  • Browser fingerprint (based on HTTP request headers as well as SSL parameters)
Locking is enfored by allowing the client to change only those attributes at the same time which have been defined by the CLID_Require directive. If all the specified attributes change, the client is verified by redirecting it to a pre-defined URL which checks if the browser does still known the ETag for this URL as it was while creating the session cookie. If this verification fails, the client has to use a new session secret.

mod_clientid is an open source software licensed under the GNU Lesser General Public License. Downloads are handled by SourceForge.net.

Module Directives

  • CLID_Cookie <secret> <cookie name> <check path>
    Enables the module by defining a secret for data encryption, a name for to cookie used to store the client attributes as well as its secret, and an URL path which is used to verify the client accepts cookies.
  • CLID_Require <attribute>
    Specifies the client attributes which must not change at the very same time/request. Client sessions whose attributes change within the same request are validated using the ETag. Available attributes are 'ip', 'ssl', and 'fp'.
  • CLID_Fingerprint <attribute>
    Specifies the client attributes used to calculate the fingerprint.
    Default are the HTTP request headers Accept-Language, Accept-Encoding, and User-Agent as well as the SSL paramters SSL_CIPHER, SSL_PROTOCOL, SSL_CIPHER_USEKEYSIZE, and SSL_CIPHER_ALGKEYSIZE.
  • CLID_Check <path>
    Defines the path of the URL where the ETag is set/verified. Default is /res/clchk.html.
  • CLID_MaxCheck <number>
    Defines how many times the module performs an ETag check to re-validate a session. Cookies are automatically renewed without further ETag checks if the counter is reached. Default is '0' (infinite).
  • CLID_SemFile <path>
    File path within the server's file system to create the lock file for semaphore/mutex.
    This directive is configured globally (outside virtual hosts).
  • CLID_Enable 'on'|'off'
    Enables session enforcement on a per location basis. Default is 'on'.

Module Variables

  • CLID_RND
    Contains the session secret.

Sample Configuration

# Avoid setting the cookie for a wrong host name: redirect the client using
# mod_rewrite  (replace <my server name> by your server's full qualifed host name).
RewriteEngine       on
RewriteCond         %{HTTP:Host} !<my server name>
RewriteRule         ^/(.*)$ https://<my server name>/$1 [L,R]

# Specifies a secret and the name of the cooke (clid). The page /res/cookie.html is
# shown to clients not accepting cookies.
CLID_Cookie         123456abc clid /res/cookie.html

# The IP address and SSL session id must not change at once.
CLID_Require        IP SSL

# The path to the ETag check.
CLID_Check          /res/clchk.html

# Use the secret generated by mod_clientid to encrypt  the JSESSIONID cookie.
SetEnvIfPlus        CLID_RND (.*) SP_COOKIE_KEY=$1
CookieEncPlus       JSESSIONID

Build

mod_clientid is an Apache module. You may download the source code of mod_clientid at SourceForge.net and build the shared library using apxs .
Example:
cd apache2
apxs -i -c mod_clientid.c -lcrypto

 

© 2014-2016, Pascal Buchbinder