Making CAS Auth optinal if browser has a certain cookie stored

[Bryan K. Walton]

Hi Everybody,

I'm trying to configure Apache so that if a user has a certain cookie,
for that domain, stored in their browser, then CAS authentication is
bypassed. I'm trying to do an Apache config with mod_auth_cas, that
uses an If statement and looks like this:

<Directory "/var/www/website/web">
<If "!%{HTTP_COOKIE} =~ /cookiename/">
Options +ExecCGI +Includes
AuthType CAS
CASScope /
require valid-user
</If>
</Directory>

CASLoginURL https://casserver/cas/login
CASValidateURL https://casserver/cas/serviceValidate
CASSSOEnabled On
CASDebug On
CASVersion 2
CASCookiePath /var/cache/cas/
CASCookieHttpOnly Off
CASTimeout 28800
CASIdleTimeout 3600

I've verified that the cookie is set, but the If statement isn't
working. I'm always getting redirected to the CAS login server.

Is it possible to use an If Statement like this to make CAS auth
optional? If not, is there another way to bypass CAS auth if a
certain cookie is already present in the user's browser?

Thanks!
Bryan

[David Hawes]

On Tue, 1 Dec 2020 at 15:22, Bryan K. Walton <bwa...@leepfrog.com> wrote:
> Is it possible to use an If Statement like this to make CAS auth
> optional? If not, is there another way to bypass CAS auth if a
> certain cookie is already present in the user's browser?

A similar config works for me in both Directory and Location in Apache
2.4. Do you have some other config that also uses mod_auth_cas?

I'd be wary of doing this since simply knowing the name of the cookie
is enough to get access, but you know your use case and config, so it
may be fine for you.

[1ms8ygts]

Thanks, David, for the reassurance that it should be possible.  I think we found our config mistake.