NCSU Wrap 1.6 Logo

General Information

 

What is WRAP?

WRAP is a web-based authentication mechanism that provides a reliable means of verifying your identity without requiring you to login to each individual, potentially insecure server. When you login to WRAP, your username and password are sent to an SSL-secured server where they are verified. Once verified, you are issued a cookie that contains your userid and connection information that has been encrypted by the WRAP Authentication server. Whenever you visit a WRAP protected website, your browser automatically sends the cookie to that webserver, where it verifies that the cookie is genuine and recognizes you by that userid.

Do I need to install anything on my browser to use WRAP?

No. WRAP uses the cookie mechanism that is built into all modern browsers. If you find that you are having problems with WRAP, you should check to make sure you have not disabled cookies in your browser.

How do I login to WRAP?

Whenever you try to access a WRAP-protected webpage, the webserver should automatically redirect you to login to WRAP if you do not already have a WRAP cookie.

If you need to login explicitly for some reason, use these links: WRAP 1.6 or WRAP 1.5/1.0

If you are having any problems logging in to WRAP, please refer to the WRAP Login FAQ.

How do I logout from WRAP?

You can use these links to remove your WRAP cookie: WRAP 1.6 or WRAP 1.5/1.0

You can also close your browser, and it should erase your cookie for you automatically. WRAP cookies also automatically expire after the time period that you selected when you logged in (1 or 10 hours).

What versions of WRAP are supported?

WRAP 1.0 - This version of WRAP has been used on campus for a number of years now. There are quite a few serious security problems with this version. Administrators are strongly encouraged to upgrade to version 1.6. Campus webservers run by ITD will be upgraded over the summer of 2001.

The login program for WRAP 1.0 was disabled at the end of the Summer session in 2001.

WRAP 1.5 - This version of WRAP was released in March of 2001. It fixes most of the security problems with WRAP 1.0. It is also written as a drop-in replacement for WRAP 1.0, so administrators could upgrade their servers to WRAP 1.5 without having to modify key files or CGI programs.

In spite of the fixes, there are still a few security problems related to the WRAP 1.0 format that could not be fixed in version 1.5. Therefore, administrators should only upgrade their servers to v1.5 as a quick fix while working on an upgrade to v1.6.

The login program for WRAP 1.5 will be disabled as soon as we can get the few remaining services that use it to upgrade to v1.6.

WRAP 1.6 - This is the new standard version of WRAP at NCSU. WRAP 1.6 uses a different cookie name and format from older versions. This means that users will be required to login to 1.6 and 1.5/1.0 systems separately, but it also means that a user will not be kept out of an older system if they hold a new-format cookie.

All servers should be updated to run WRAP 1.6 as soon as possible.

What server platforms are supported by WRAP?

WRAP offers three modules that can be used to check a user's identity by reading their WRAP cookie. There are modules for Apache 1.3.x and 2.0.x webservers, and a perl module for CGI programs running under any server.

Operating System Apache 1.3 module
mod_auth_wrap
Apache 2.0 module
apache2_auth_wrap
Perl Module
Wrap::Cookie
Solaris 2.6, 2.7, 2.8 Supported Supported Supported
Linux 2.2.x, 2.4.x Supported Supported Supported
Other Unix Not Supported

Untried, but it should work
Not Supported

Untried, but it should work
Not Supported

Untried, but it should work
Windows Supported Supported Not Supported

Untried, but should work
if libs are available in Perl

How do I add WRAP authentication to my web pages?

My web pages are in a WolfWare course locker.

Follow the instructions provided in the WolfWare FAQ: Where do I place restricted materials in my WolfWare course locker?

My web pages are on a common campus webserver such as www.ncsu.edu or www4.ncsu.edu.

Campus webservers run by OIT are using the Apache webserver software. You should be able to create your own .htaccess file in any directory where you want WRAP protection. You do not need to contact the webmaster to set this up for you.

I want to add WRAP authentication to some other ncsu.edu webserver.

If you want to use this software, we will require that you accept a Software Agreement before you will be given access to the download pages. Note that we only offer the WRAP software to employees of the University for use on University projects.

To view the agreement and request access to the WRAP software, please follow this link: WRAP Software Usage Agreement

I want to use WRAP authentication on a non-ncsu.edu webserver.

You cannot. The URL that you are trying to protect with WRAP must be in the *.ncsu.edu domain. Our login server, webauth.ncsu.edu, sets the WRAP cookie in the .ncsu.edu domain. Your browser will not send that cookie to any URL that does not match *.ncsu.edu. If you try it, you will find yourself in an endless loop where your browser keeps getting sent back to webauth.ncsu.edu to get a cookie that it will never pass along. This is a security feature of the HTTP Cookie specification and it cannot be avoided.

I have a WRAP protected CGI-bin directory, what information can I find out about the user?

In CGI scripts, you will have access to five environment variables that contain the WRAP cookie components. If you were using perl or PHP you could access them with code like this:

 Perl:
   $userid  = $ENV{'WRAP_USERID'};
   $affil   = $ENV{'WRAP_AFFIL'}; 
   $expdate = $ENV{'WRAP_EXPDATE'};
   $address = $ENV{'WRAP_ADDRESS'};
   $onproxy = $ENV{'WRAP_ONPROXY'};

 PHP:
   $userid  = $_SERVER['WRAP_USERID'];
      or
   $userid  = getenv('WRAP_USERID');

The bug described below has been fixed in the Apache 2.x module version 1.6.22. Please consider upgrading the module.

If you use mod_rewrite, especially to do internal redirects, you may run into a problem. On Apache 2.x servers, the WRAP phase of processing is run only once before the rewrite phase that changes the page request. When rewrite does run, it takes all of the current environment variables, prefixes them with 'REDIRECT_' and puts them back. The net result of this is, if you look for 'WRAP_USERID' in a redirected request, it will not be found. Instead, you will find 'REDIRECT_WRAP_USERID'.

WRAP on Apache 1.3 did not have this problem. In fact, mod_rewrite was still copying the variables as described, but Apache was also re-authorizing with WRAP and put the same variables back in a second time.

If you don't know if your script will be redirected or not, you should probably check for both sets of variables. You may also fiddle with Apache's rules to try to put the variables back. Here is an example of some .htaccess rules that may patch this problem.

    RewriteEngine On

    # replace missing WRAP_USERID
    RewriteCond %{ENV:REDIRECT_WRAP_USERID} !^$
    RewriteRule .* - [E=WRAP_USERID:%{ENV:REDIRECT_WRAP_USERID}]

    # redirect most pages to my index.php handler
    RewriteRule !\.(gif|jpg|css)$ index.php

The second rule performs the internal redirect. The first rule checks environment, and replaces WRAP_USERID with the value of REDIRECT_WRAP_USERID, if the latter is defined.

Where do I get the software?

Licensed users may obtain the software distributions and read the extended usage and security documentation by following one of these links:

WRAP 1.6 - (WRAP 1.5 and 1.0 are no longer available)