Pubcookie

Pubcookie is a mechanism for centralized user authentication. Note that pubcookie does not handle authorization; it will only assert that a UWNetID and corresponding password have been correctly entered.

Because pubcookie is centralized, it allows the user to authenticate once for several applications. The authentication remains valid for up to eight hours.

To demonstrate how pubcookie works, you can try these two test applications. When you connect to one of them, you should be challenged for your UWNetID and a password. If you then connect to the other application, you will not be challenged, because your previous login is still valid.

Enabling Pubcookie

Pubcookie is enabled by entering the following lines into a .htaccess file:

AuthType UWNetID
AuthName "Application Name"
PubcookieAppID "Application Name"
Authorization Directives

where Application Name is a name you choose to associate with your application, and Authorization Directives are specific to your application. Some authorization examples are listed below.

If you are using another type of authentication, you need to remove all lines associated with that authentication. Examples of these lines are:

AuthType Basic
AuthUserFile /www/htaccess/u/my-passwd-file

AuthType Basic
AuthSrvService uapasswd
AuthSrvUserKey username
AuthSrvPassKey uapasswd

Pubcookie enforces the use of SSL connections, so you may choose to remove the command:

SSLRequireSSL

from your .htaccess file. By doing so, if people connect without SSL, their connection will automatically be changed to SSL before they are allowed to access your application.

Authenticating with SecurID

If you wish to force a user to authenticate with a username, password, and SecurID number, then change the AuthType line to:

AuthType SecurID

When using SecurID authentication, pubcookie will not reuse previously-entered credentials. In other words, if the user authenticated with pubcookie to another application and then attempted to connect to an application protected with SecurID, the server will once again ask for all credentials. If the credentials time out, then the user will also be prompted to reenter them.

Application Names

Pubcookie uses the concept of authentication domains which are typically web applications. The default authentication domain is the directory protected by pubcookie. When the user moves from one authentication domain to another, there is a quick trip through the login server. This round-trip can be eliminated when moving among directories on the same web server by setting the PubcookieAppID variable. In the example settings above, "Application Name" would be the same among different directories which are part of the same application.

Timeouts

Pubcooke allows you to modify the timeouts that it uses. There are two types of timeouts which can be specified in the .htaccess file:

PubCookieHardExpire seconds: How much time after a user first starts using an application until the application no longer considers the user's credentials to be valid. The default hard timeout is 8 hours, and the value must be between 1 and 12 hours.
PubCookieInactiveExpire seconds: The maximum amount of time which can pass between accesses before the cookie is no longer valid. If this is set to a short period of time, then a user's credentials may time out while filling out a long form. This timeout can be disabled by using -1 for the seconds field. Any value which is larger than the hard timeout will be considered to be the same as the hard timeout. The default inactive timeout is 30 minutes, and the minimum value is 5 minutes.

When either timeout happens, the browser is sent back to the login page. If UWNetID authentication is being used, then in most cases the browser will be sent right back to the application (unless more than 8 hours have passed since the user first authenticated to the login page). If you are using SecurID authentication, then when a timeout causes the user to go back to the login page, the user must reenter all credentials.

As an example, to set the hard timeout to 4 hours (4 * 60 * 60 or 14400 seconds) and the inactivity timeout to 10 minutes (10 * 60 or 600 seconds):

PubCookieHardExpire 14400
PubCookieInactiveExpire 600

Authentication vs. Authorization

As mentioned above, pubcookie only handles authentication; the method you use for authorization does not change. However, here are some ways to implement authorization for common needs:

Allow All Authenticated Users

If you merely want to assert that a user has a UWNetID, you should use the following line in your .htaccess file:

require valid-user

Allow Only Faculty and Staff

The current method for authorizing only faculty and staff on www.washington.edu is to use this line in your .htaccess file:

require type faculty staff

More Authorization Examples

More examples for authorization are available on the Weblogin and Access Control page.