2 <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
3 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <modulesynopsis metafile="mod_authn_socache.xml.meta">
25 <name>mod_authn_socache</name>
26 <description>Manages a cache of authentication credentials to relieve
27 the load on backends</description>
29 <sourcefile>mod_authn_socache.c</sourcefile>
30 <identifier>authn_socache_module</identifier>
31 <compatibility>Version 2.3 and later</compatibility>
34 <p>Maintains a cache of authentication credentials, so that a new backend
35 lookup is not required for every authenticated request.</p>
38 <section id="intro"><title>Authentication Cacheing</title>
39 <p>Some users of more heavyweight authentication such as SQL database
40 lookups (<module>mod_authn_dbd</module>) have reported it putting an
41 unacceptable load on their authentication provider. A typical case
42 in point is where an HTML page contains hundreds of objects
43 (images, scripts, stylesheets, media, etc), and a request to the page
44 generates hundreds of effectively-immediate requests for authenticated
45 additional contents.</p>
46 <p>mod_authn_socache provides a solution to this problem by
47 maintaining a cache of authentication credentials.</p>
50 <section id="usage"><title>Usage</title>
51 <p>The authentication cache should be used where authentication
52 lookups impose a significant load on the server, or a backend or
53 network. Authentication by file (<module>mod_authn_file</module>)
54 or dbm (<module>mod_authn_dbm</module>) are unlikely to benefit,
55 as these are fast and lightweight in their own right (though in some
56 cases, such as a network-mounted file, cacheing may be worthwhile).
57 Other providers such as SQL or LDAP based authentication are more
58 likely to benefit, particularly where there is an observed
59 performance issue. Amongst the standard modules, <module
60 >mod_authnz_ldap</module> manages its own cache, so only
61 <module>mod_authn_dbd</module> will usually benefit from this cache.</p>
62 <p>The basic rules to cache for a provider are:</p>
63 <ol><li>Include the provider you're cacheing for in an
64 <directive>AuthnCacheProvideFor</directive> directive.</li>
65 <li>List <var>socache</var> ahead of the provider you're
66 cacheing for in your <directive module="mod_auth_basic"
67 >AuthBasicProvider</directive> or <directive module=
68 "mod_auth_digest">AuthDigestProvider</directive> directive.</li>
70 <p>A simple usage example to accelerate <module>mod_authn_dbd</module>
71 using dbm as a cache engine:</p>
72 <highlight language="config">
73 #AuthnCacheSOCache is optional. If specified, it is server-wide
75 <Directory "/usr/www/myhost/private">
77 AuthName "Cached Authentication Example"
78 AuthBasicProvider socache dbd
79 AuthDBDUserPWQuery "SELECT password FROM authn WHERE user = %s"
80 AuthnCacheProvideFor dbd
83 AuthnCacheContext dbd-authn-example
88 <section id="dev"><title>Cacheing with custom modules</title>
89 <p>Module developers should note that their modules must be enabled
90 for cacheing with mod_authn_socache. A single optional API function
91 <var>ap_authn_cache_store</var> is provided to cache credentials
92 a provider has just looked up or generated. Usage examples are
94 href="http://svn.eu.apache.org/viewvc?view=revision&revision=957072"
95 >r957072</a>, in which three authn providers are enabled for cacheing.</p>
99 <name>AuthnCacheEnable</name>
100 <description>Enable Authn caching configured anywhere</description>
101 <syntax>AuthnCacheEnable</syntax>
102 <contextlist><context>server config</context></contextlist>
103 <override>None</override>
106 <p>This directive is not normally necessary: it is implied if
107 authentication cacheing is enabled anywhere in <var>httpd.conf</var>.
108 However, if it is not enabled anywhere in <var>httpd.conf</var>
109 it will by default not be initialised, and is therefore not
110 available in a <var>.htaccess</var> context. This directive
111 ensures it is initialised so it can be used in <var>.htaccess</var>.</p>
116 <name>AuthnCacheSOCache</name>
117 <description>Select socache backend provider to use</description>
118 <syntax>AuthnCacheSOCache <var>provider-name[:provider-args]</var></syntax>
119 <contextlist><context>server config</context></contextlist>
120 <override>None</override>
121 <compatibility>Optional provider arguments are available in
122 Apache HTTP Server 2.4.7 and later</compatibility>
125 <p>This is a server-wide setting to select a provider for the
126 <a href="../socache.html">shared object cache</a>, followed by
127 optional arguments for that provider.
128 Some possible values for <var>provider-name</var> are "dbm", "dc",
129 "memcache", or "shmcb", each subject to the appropriate module
130 being loaded. If not set, your platform's default will be used.</p>
135 <name>AuthnCacheProvideFor</name>
136 <description>Specify which authn provider(s) to cache for</description>
137 <syntax>AuthnCacheProvideFor <var>authn-provider</var> [...]</syntax>
138 <default>None</default>
139 <contextlist><context>directory</context><context>.htaccess</context></contextlist>
140 <override>AuthConfig</override>
143 <p>This directive specifies an authentication provider or providers
144 to cache for. Credentials found by a provider not listed in an
145 AuthnCacheProvideFor directive will not be cached.</p>
147 <p>For example, to cache credentials found by <module>mod_authn_dbd</module>
148 or by a custom provider <var>myprovider</var>, but leave those looked
149 up by lightweight providers like file or dbm lookup alone:</p>
150 <highlight language="config">
151 AuthnCacheProvideFor dbd myprovider
157 <name>AuthnCacheTimeout</name>
158 <description>Set a timeout for cache entries</description>
159 <syntax>AuthnCacheTimeout <var>timeout</var> (seconds)</syntax>
160 <default>300 (5 minutes)</default>
161 <contextlist><context>directory</context><context>.htaccess</context></contextlist>
162 <override>AuthConfig</override>
165 <p>Cacheing authentication data can be a security issue, though short-term
166 cacheing is unlikely to be a problem. Typically a good solution is to
167 cache credentials for as long as it takes to relieve the load on a
168 backend, but no longer, though if changes to your users and passwords
169 are infrequent then a longer timeout may suit you. The default 300
170 seconds (5 minutes) is both cautious and ample to keep the load
171 on a backend such as dbd (SQL database queries) down.</p>
172 <p>This should not be confused with session timeout, which is an
173 entirely separate issue. However, you may wish to check your
174 session-management software for whether cached credentials can
175 "accidentally" extend a session, and bear it in mind when setting
181 <name>AuthnCacheContext</name>
182 <description>Specify a context string for use in the cache key</description>
183 <syntax>AuthnCacheContext <var>directory|server|custom-string</var></syntax>
184 <default>directory</default>
185 <contextlist><context>directory</context></contextlist>
188 <p>This directive specifies a string to be used along with the supplied
189 username (and realm in the case of Digest Authentication) in constructing
190 a cache key. This serves to disambiguate identical usernames serving
191 different authentication areas on the server.</p>
192 <p>Two special values for this are <var>directory</var>, which uses
193 the directory context of the request as a string, and <var>server</var>
194 which uses the virtual host name.</p>
195 <p>The default is <var>directory</var>, which is also the most
196 conservative setting. This is likely to be less than optimal, as it
197 (for example) causes <var>$app-base</var>, <var>$app-base/images</var>,
198 <var>$app-base/scripts</var> and <var>$app-base/media</var> each to
199 have its own separate cache key. A better policy is to name the
200 <directive>AuthnCacheContext</directive> for the password
201 provider: for example a <var>htpasswd</var> file or database table.</p>
202 <p>Contexts can be shared across different areas of a server, where
203 credentials are shared. However, this has potential to become a vector
204 for cross-site or cross-application security breaches, so this directive
205 is not permitted in <var>.htaccess</var> contexts.</p>