1<?xml version="1.0" encoding="ISO-8859-1"?> 2<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!-- 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 5 This file is generated from xml source: DO NOT EDIT 6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 7 --> 8<title>mod_authn_socache - Apache HTTP Server</title> 9<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> 10<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> 11<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" /> 12<script src="/style/scripts/prettify.min.js" type="text/javascript"> 13</script> 14 15<link href="/images/favicon.ico" rel="shortcut icon" /></head> 16<body> 17<div id="page-header"> 18<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p> 19<p class="apache">Apache HTTP Server Version 2.4</p> 20<img alt="" src="/images/feather.gif" /></div> 21<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div> 22<div id="path"> 23<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Modules</a></div> 24<div id="page-content"> 25<div id="preamble"><h1>Apache Module mod_authn_socache</h1> 26<div class="toplang"> 27<p><span>Available Languages: </span><a href="/en/mod/mod_authn_socache.html" title="English"> en </a> | 28<a href="/fr/mod/mod_authn_socache.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 29</div> 30<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Manages a cache of authentication credentials to relieve 31the load on backends</td></tr> 32<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr> 33<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authn_socache_module</td></tr> 34<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_authn_socache.c</td></tr> 35<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Version 2.3 and later</td></tr></table> 36<h3>Summary</h3> 37 38 <p>Maintains a cache of authentication credentials, so that a new backend 39 lookup is not required for every authenticated request.</p> 40</div> 41<div id="quickview"><h3 class="directives">Directives</h3> 42<ul id="toc"> 43<li><img alt="" src="/images/down.gif" /> <a href="#authncachecontext">AuthnCacheContext</a></li> 44<li><img alt="" src="/images/down.gif" /> <a href="#authncacheenable">AuthnCacheEnable</a></li> 45<li><img alt="" src="/images/down.gif" /> <a href="#authncacheprovidefor">AuthnCacheProvideFor</a></li> 46<li><img alt="" src="/images/down.gif" /> <a href="#authncachesocache">AuthnCacheSOCache</a></li> 47<li><img alt="" src="/images/down.gif" /> <a href="#authncachetimeout">AuthnCacheTimeout</a></li> 48</ul> 49<h3>Topics</h3> 50<ul id="topics"> 51<li><img alt="" src="/images/down.gif" /> <a href="#intro">Authentication Cacheing</a></li> 52<li><img alt="" src="/images/down.gif" /> <a href="#usage">Usage</a></li> 53<li><img alt="" src="/images/down.gif" /> <a href="#dev">Cacheing with custom modules</a></li> 54</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> 55<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 56<div class="section"> 57<h2><a name="intro" id="intro">Authentication Cacheing</a></h2> 58 <p>Some users of more heavyweight authentication such as SQL database 59 lookups (<code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code>) have reported it putting an 60 unacceptable load on their authentication provider. A typical case 61 in point is where an HTML page contains hundreds of objects 62 (images, scripts, stylesheets, media, etc), and a request to the page 63 generates hundreds of effectively-immediate requests for authenticated 64 additional contents.</p> 65 <p>mod_authn_socache provides a solution to this problem by 66 maintaining a cache of authentication credentials.</p> 67</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 68<div class="section"> 69<h2><a name="usage" id="usage">Usage</a></h2> 70 <p>The authentication cache should be used where authentication 71 lookups impose a significant load on the server, or a backend or 72 network. Authentication by file (<code class="module"><a href="/mod/mod_authn_file.html">mod_authn_file</a></code>) 73 or dbm (<code class="module"><a href="/mod/mod_authn_dbm.html">mod_authn_dbm</a></code>) are unlikely to benefit, 74 as these are fast and lightweight in their own right (though in some 75 cases, such as a network-mounted file, cacheing may be worthwhile). 76 Other providers such as SQL or LDAP based authentication are more 77 likely to benefit, particularly where there is an observed 78 performance issue. Amongst the standard modules, <code class="module"><a href="/mod/mod_authnz_ldap.html">mod_authnz_ldap</a></code> manages its own cache, so only 79 <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> will usually benefit from this cache.</p> 80 <p>The basic rules to cache for a provider are:</p> 81 <ol><li>Include the provider you're cacheing for in an 82 <code class="directive">AuthnCacheProvideFor</code> directive.</li> 83 <li>List <var>socache</var> ahead of the provider you're 84 cacheing for in your <code class="directive"><a href="/mod/mod_auth_basic.html#authbasicprovider">AuthBasicProvider</a></code> or <code class="directive"><a href="/mod/mod_auth_digest.html#authdigestprovider">AuthDigestProvider</a></code> directive.</li> 85 </ol> 86 <p>A simple usage example to accelerate <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> 87 using dbm as a cache engine:</p> 88 <pre class="prettyprint lang-config"><Directory /usr/www/myhost/private> 89 AuthType Basic 90 AuthName "Cached Authentication Example" 91 AuthBasicProvider socache dbd 92 AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s" 93 AuthnCacheProvideFor dbd 94 AuthnCacheContext dbd-authn-example 95 AuthnCacheSOCache dbm 96 Require valid-user 97</Directory></pre> 98 99</div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 100<div class="section"> 101<h2><a name="dev" id="dev">Cacheing with custom modules</a></h2> 102 <p>Module developers should note that their modules must be enabled 103 for cacheing with mod_authn_socache. A single optional API function 104 <var>ap_authn_cache_store</var> is provided to cache credentials 105 a provider has just looked up or generated. Usage examples are 106 available in <a href="http://svn.eu.apache.org/viewvc?view=revision&revision=957072">r957072</a>, in which three authn providers are enabled for cacheing.</p> 107</div> 108<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 109<div class="directive-section"><h2><a name="AuthnCacheContext" id="AuthnCacheContext">AuthnCacheContext</a> <a name="authncachecontext" id="authncachecontext">Directive</a></h2> 110<table class="directive"> 111<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specify a context string for use in the cache key</td></tr> 112<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheContext <var>directory|server|custom-string</var></code></td></tr> 113<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>directory</code></td></tr> 114<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory</td></tr> 115<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 116<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr> 117</table> 118 <p>This directive specifies a string to be used along with the supplied 119 username (and realm in the case of Digest Authentication) in constructing 120 a cache key. This serves to disambiguate identical usernames serving 121 different authentication areas on the server.</p> 122 <p>Two special values for this are <var>directory</var>, which uses 123 the directory context of the request as a string, and <var>server</var> 124 which uses the virtual host name.</p> 125 <p>The default is <var>directory</var>, which is also the most 126 conservative setting. This is likely to be less than optimal, as it 127 (for example) causes <var>$app-base</var>, <var>$app-base/images</var>, 128 <var>$app-base/scripts</var> and <var>$app-base/media</var> each to 129 have its own separate cache key. A better policy is to name the 130 <code class="directive">AuthnCacheContext</code> for the password 131 provider: for example a <var>htpasswd</var> file or database table.</p> 132 <p>Contexts can be shared across different areas of a server, where 133 credentials are shared. However, this has potential to become a vector 134 for cross-site or cross-application security breaches, so this directive 135 is not permitted in <var>.htaccess</var> contexts.</p> 136 137</div> 138<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 139<div class="directive-section"><h2><a name="AuthnCacheEnable" id="AuthnCacheEnable">AuthnCacheEnable</a> <a name="authncacheenable" id="authncacheenable">Directive</a></h2> 140<table class="directive"> 141<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Enable Authn caching configured anywhere</td></tr> 142<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheEnable</code></td></tr> 143<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 144<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>None</td></tr> 145<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 146<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr> 147</table> 148 <p>This directive is not normally necessary: it is implied if 149 authentication cacheing is enabled anywhere in <var>httpd.conf</var>. 150 However, if it is not enabled anywhere in <var>httpd.conf</var> 151 it will by default not be initialised, and is therefore not 152 available in a <var>.htaccess</var> context. This directive 153 ensures it is initialised so it can be used in <var>.htaccess</var>.</p> 154 155</div> 156<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 157<div class="directive-section"><h2><a name="AuthnCacheProvideFor" id="AuthnCacheProvideFor">AuthnCacheProvideFor</a> <a name="authncacheprovidefor" id="authncacheprovidefor">Directive</a></h2> 158<table class="directive"> 159<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Specify which authn provider(s) to cache for</td></tr> 160<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheProvideFor <var>authn-provider</var> [...]</code></td></tr> 161<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>None</code></td></tr> 162<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 163<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 164<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 165<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr> 166</table> 167 <p>This directive specifies an authentication provider or providers 168 to cache for. Credentials found by a provider not listed in an 169 AuthnCacheProvideFor directive will not be cached.</p> 170 171 <p>For example, to cache credentials found by <code class="module"><a href="/mod/mod_authn_dbd.html">mod_authn_dbd</a></code> 172 or by a custom provider <var>myprovider</var>, but leave those looked 173 up by lightweight providers like file or dbm lookup alone:</p> 174 <pre class="prettyprint lang-config">AuthnCacheProvideFor dbd myprovider</pre> 175 176 177</div> 178<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 179<div class="directive-section"><h2><a name="AuthnCacheSOCache" id="AuthnCacheSOCache">AuthnCacheSOCache</a> <a name="authncachesocache" id="authncachesocache">Directive</a></h2> 180<table class="directive"> 181<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Select socache backend provider to use</td></tr> 182<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheSOCache <var>provider-name[:provider-args]</var></code></td></tr> 183<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr> 184<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>None</td></tr> 185<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 186<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr> 187<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Optional provider arguments are available in 188Apache HTTP Server 2.4.7 and later</td></tr> 189</table> 190 <p>This is a server-wide setting to select a provider for the 191 <a href="/socache.html">shared object cache</a>, followed by 192 optional arguments for that provider. 193 Some possible values for <var>provider-name</var> are "dbm", "dc", 194 "memcache", or "shmcb", each subject to the appropriate module 195 being loaded. If not set, your platform's default will be used.</p> 196 197</div> 198<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div> 199<div class="directive-section"><h2><a name="AuthnCacheTimeout" id="AuthnCacheTimeout">AuthnCacheTimeout</a> <a name="authncachetimeout" id="authncachetimeout">Directive</a></h2> 200<table class="directive"> 201<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set a timeout for cache entries</td></tr> 202<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthnCacheTimeout <var>timeout</var> (seconds)</code></td></tr> 203<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>300 (5 minutes)</code></td></tr> 204<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr> 205<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr> 206<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr> 207<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authn_socache</td></tr> 208</table> 209 <p>Cacheing authentication data can be a security issue, though short-term 210 cacheing is unlikely to be a problem. Typically a good solution is to 211 cache credentials for as long as it takes to relieve the load on a 212 backend, but no longer, though if changes to your users and passwords 213 are infrequent then a longer timeout may suit you. The default 300 214 seconds (5 minutes) is both cautious and ample to keep the load 215 on a backend such as dbd (SQL database queries) down.</p> 216 <p>This should not be confused with session timeout, which is an 217 entirely separate issue. However, you may wish to check your 218 session-management software for whether cached credentials can 219 "accidentally" extend a session, and bear it in mind when setting 220 your timeout.</p> 221 222</div> 223</div> 224<div class="bottomlang"> 225<p><span>Available Languages: </span><a href="/en/mod/mod_authn_socache.html" title="English"> en </a> | 226<a href="/fr/mod/mod_authn_socache.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p> 227</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> 228<script type="text/javascript"><!--//--><![CDATA[//><!-- 229var comments_shortname = 'httpd'; 230var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authn_socache.html'; 231(function(w, d) { 232 if (w.location.hostname.toLowerCase() == "httpd.apache.org") { 233 d.write('<div id="comments_thread"><\/div>'); 234 var s = d.createElement('script'); 235 s.type = 'text/javascript'; 236 s.async = true; 237 s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; 238 (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); 239 } 240 else { 241 d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); 242 } 243})(window, document); 244//--><!]]></script></div><div id="footer"> 245<p class="apache">Copyright 2014 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 246<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- 247if (typeof(prettyPrint) !== 'undefined') { 248 prettyPrint(); 249} 250//--><!]]></script> 251</body></html>
