Complex security environment

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
jcortina
Forum Newbie
Posts: 2
Joined: Thu Jun 12, 2003 10:00 am

Complex security environment

Post by jcortina »

Hi all,

I am working on an intranet developed with PHP, using PostgreSQL as a backend, running on a coupple of Linux boxes (one for web, one for database).

FYI, the versions I am using are:

- RedHat 7.3
- Apache 1.3.23
- PHP 4.1.2
- PostgreSQL 7.2.4

In my development version (everything in one - separate - server, same versions) I am trying to integrate Kerberos authentication, so that users can access the application using their Windows 2000 network account. After reading a lot, I was able to setup Kerberos authentication for PostgreSQL using the W2K domain as the kerberos server, and I managed to do some simple PHP scripts opening persistant connections to the database using Kerberos authentication.

My problem now, is that my actual application is frame-based, and it seems that the persistant connection works for one or two out of the four frames, and the others behave just as if the DB connection would not exist...

I *think* the problem has to do with how Apache + PHP handle the processes and the DB connections. Since I only want to do the actual login process (i.e. the form with login/password) once, and since for security reasons prefer NOT to save the password anywere (on a session variable or similar), then I require that all scripts are served by the same process which has the authentication with the database, and this is what seems not to be working...

I have configured Apache to use KeepAlive, and PHP to use persistent connections with a limit of 1 connection per child. I have also tried other configurations and the results are the same...

Any ideas (or even examples) on how to integrate a secure Kerberos authentication using Apache + PHP + PostgreSQL will be greatly appreciated.

Regards,

J.Cortina
jcortina
Forum Newbie
Posts: 2
Joined: Thu Jun 12, 2003 10:00 am

My question simplified

Post by jcortina »

Ok, after some more tests, I could re-phrase my question:

Is it possible to force a client (i.e. each individual visitor) to use a specific (i.e. the same) Apache process?

I just changed my Apache configuration to have MaxClients = 1, and then everything works as expected, but otherways Apache just opens processes as needed (serving even the same visitor with different processes) and then my database authentication which is valid in one process is not valid in the next.

Thanks
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I've never heard of anyway to tie a client to an apache instance
User avatar
cactus
Forum Regular
Posts: 343
Joined: Tue Jun 10, 2003 4:16 am
Location: UK

Post by cactus »

You wouldn't want too, if you did and had 20K users, that's 20K proc's all taking up mem and proc time.

I don't think you would be able to sustain the model, from both a hardware point of view and code.

What about encrypting (simple/complex) your info and writing to a cookie/session, even though you don't want to do this, Apache is'nt built for the model you require.

Regards,

Addition:
http://www.phpfreaks.com/postgresqlmanu ... thods.html
http://www.google.com/search?num=100&hl ... PostgreSQL
Post Reply