You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by redhat <re...@fayelectric.com> on 2004/07/13 19:38:24 UTC
[users@httpd] kill .htaccess session
I have a few Linux servers that use internally for some minor web
applications that I have written. Most of these are used only by myself
and my assistant. I have some sensitive information on here as well as
other information that I need when going from one user's computer to
another that needs to be kept private. I tried using PHP and MySQL
authorization and got it to work on the parent page but if someone
pulled up the history and went to a subsequent page it would let them
right in without user/pass. I like .htaccess because it keeps the
entire directory secure enough for me. My problem is this, it seems to
keep the session open for an unspecified period of time. I know in PHP
I can kill the session by issuing another variable with a null value.
How can I do this using .htaccess? Any help appreciated.
thanks,
Doug
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] kill .htaccess session
Posted by Jim Maul <jm...@elih.org>.
Quoting Joshua Slive <js...@gmail.com>:
> On Tue, 13 Jul 2004 12:38:24 -0500, redhat <re...@fayelectric.com> wrote:
>> I have a few Linux servers that use internally for some minor web
>> applications that I have written. Most of these are used only by myself
>> and my assistant. I have some sensitive information on here as well as
>> other information that I need when going from one user's computer to
>> another that needs to be kept private. I tried using PHP and MySQL
>> authorization and got it to work on the parent page but if someone
>> pulled up the history and went to a subsequent page it would let them
>> right in without user/pass. I like .htaccess because it keeps the
>> entire directory secure enough for me. My problem is this, it seems to
>> keep the session open for an unspecified period of time. I know in PHP
>> I can kill the session by issuing another variable with a null value.
>> How can I do this using .htaccess? Any help appreciated.
>
> This is basically impossible.
>
I pretty much agree with this.
> To start, the session is entirely in the hands of the browser. The
> browser chooses when to send a password and when not to. Most
> browsers will only forget the password if you shut them down.
>
> Googling for "htaccess logout" will give you various ideas for trying
> to trick the browser into forgetting the password. But I don't know
> of any that are foolproof.
>
I've tried for about 2 months (off and on) to come up with a secure way to do
authentication with .htaccess and provide a logout with timeout. I kept
running into problems that finally caused me to use custom auth
programming and
php sessions. There is no standard way that i know of to REALLY log the user
out using .htaccess. Browsers are just not standard enough.
Jim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] kill .htaccess session
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 13 Jul 2004 12:38:24 -0500, redhat <re...@fayelectric.com> wrote:
> I have a few Linux servers that use internally for some minor web
> applications that I have written. Most of these are used only by myself
> and my assistant. I have some sensitive information on here as well as
> other information that I need when going from one user's computer to
> another that needs to be kept private. I tried using PHP and MySQL
> authorization and got it to work on the parent page but if someone
> pulled up the history and went to a subsequent page it would let them
> right in without user/pass. I like .htaccess because it keeps the
> entire directory secure enough for me. My problem is this, it seems to
> keep the session open for an unspecified period of time. I know in PHP
> I can kill the session by issuing another variable with a null value.
> How can I do this using .htaccess? Any help appreciated.
This is basically impossible.
To start, the session is entirely in the hands of the browser. The
browser chooses when to send a password and when not to. Most
browsers will only forget the password if you shut them down.
Googling for "htaccess logout" will give you various ideas for trying
to trick the browser into forgetting the password. But I don't know
of any that are foolproof.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] kill .htaccess session
Posted by Tim Burden <ti...@burden.ca>.
I see now.
You might find auto_prepend_file handy for automatically getting your auth
code on the top of every page.
http://www.php.net/manual/en/ini.sect.data-handling.php
----- Original Message -----
From: "redhat" <re...@fayelectric.com>
To: "apachelist" <us...@httpd.apache.org>
Sent: Tuesday, July 13, 2004 2:29 PM
Subject: Re: [users@httpd] kill .htaccess session
> On Tue, 2004-07-13 at 12:51, Tim Burden wrote:
> > I don't seem to understand:
> > "I tried using PHP and MySQL authorization and got it to work on the
parent
> > page but if someone pulled up the history and went to a subsequent page
it
> > would let them right in without user/pass."
> >
> > Isn't that what you want? Once you authenticate once with .htaccess
(HTTP
> > auth) you can see any page in any directory below the one with the
.htaccess
> > file.
> >
> > ----- Original Message -----
> > From: "redhat" <re...@fayelectric.com>
> > To: "apachelist" <us...@httpd.apache.org>
> > Sent: Tuesday, July 13, 2004 1:38 PM
> > Subject: [users@httpd] kill .htaccess session
> >
> >
> > > I have a few Linux servers that use internally for some minor web
> > > applications that I have written. Most of these are used only by
myself
> > > and my assistant. I have some sensitive information on here as well
as
> > > other information that I need when going from one user's computer to
> > > another that needs to be kept private. I tried using PHP and MySQL
> > > authorization and got it to work on the parent page but if someone
> > > pulled up the history and went to a subsequent page it would let them
> > > right in without user/pass. I like .htaccess because it keeps the
> > > entire directory secure enough for me. My problem is this, it seems
to
> > > keep the session open for an unspecified period of time. I know in
PHP
> > > I can kill the session by issuing another variable with a null value.
> > > How can I do this using .htaccess? Any help appreciated.
> > > thanks,
> > > Doug
> > >
> > >
> > > ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
Project.
> > > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> I suppose what I meant was that at a later time (using PHP/MySQL) an
> end-user could pull up a page that I didn't want them to have access to
> simply because the authentication took place on the index login page. I
> guess I need to dig deeper into php/mysql authentication to make this
> work. I appreciate all the help. It sounds like some of you others
> understood what I meant and have experienced the same thing.
> thanks,
> Doug
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] kill .htaccess session
Posted by redhat <re...@fayelectric.com>.
On Tue, 2004-07-13 at 12:51, Tim Burden wrote:
> I don't seem to understand:
> "I tried using PHP and MySQL authorization and got it to work on the parent
> page but if someone pulled up the history and went to a subsequent page it
> would let them right in without user/pass."
>
> Isn't that what you want? Once you authenticate once with .htaccess (HTTP
> auth) you can see any page in any directory below the one with the .htaccess
> file.
>
> ----- Original Message -----
> From: "redhat" <re...@fayelectric.com>
> To: "apachelist" <us...@httpd.apache.org>
> Sent: Tuesday, July 13, 2004 1:38 PM
> Subject: [users@httpd] kill .htaccess session
>
>
> > I have a few Linux servers that use internally for some minor web
> > applications that I have written. Most of these are used only by myself
> > and my assistant. I have some sensitive information on here as well as
> > other information that I need when going from one user's computer to
> > another that needs to be kept private. I tried using PHP and MySQL
> > authorization and got it to work on the parent page but if someone
> > pulled up the history and went to a subsequent page it would let them
> > right in without user/pass. I like .htaccess because it keeps the
> > entire directory secure enough for me. My problem is this, it seems to
> > keep the session open for an unspecified period of time. I know in PHP
> > I can kill the session by issuing another variable with a null value.
> > How can I do this using .htaccess? Any help appreciated.
> > thanks,
> > Doug
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
I suppose what I meant was that at a later time (using PHP/MySQL) an
end-user could pull up a page that I didn't want them to have access to
simply because the authentication took place on the index login page. I
guess I need to dig deeper into php/mysql authentication to make this
work. I appreciate all the help. It sounds like some of you others
understood what I meant and have experienced the same thing.
thanks,
Doug
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] kill .htaccess session
Posted by Tim Burden <ti...@burden.ca>.
I don't seem to understand:
"I tried using PHP and MySQL authorization and got it to work on the parent
page but if someone pulled up the history and went to a subsequent page it
would let them right in without user/pass."
Isn't that what you want? Once you authenticate once with .htaccess (HTTP
auth) you can see any page in any directory below the one with the .htaccess
file.
----- Original Message -----
From: "redhat" <re...@fayelectric.com>
To: "apachelist" <us...@httpd.apache.org>
Sent: Tuesday, July 13, 2004 1:38 PM
Subject: [users@httpd] kill .htaccess session
> I have a few Linux servers that use internally for some minor web
> applications that I have written. Most of these are used only by myself
> and my assistant. I have some sensitive information on here as well as
> other information that I need when going from one user's computer to
> another that needs to be kept private. I tried using PHP and MySQL
> authorization and got it to work on the parent page but if someone
> pulled up the history and went to a subsequent page it would let them
> right in without user/pass. I like .htaccess because it keeps the
> entire directory secure enough for me. My problem is this, it seems to
> keep the session open for an unspecified period of time. I know in PHP
> I can kill the session by issuing another variable with a null value.
> How can I do this using .htaccess? Any help appreciated.
> thanks,
> Doug
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org