You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Bernick <be...@alpha.bernztech.org> on 2002/06/12 05:32:02 UTC
Apache and improper timeout
In Apache, I have set a force timeout to the authentication. If a user is
idle for 20 minutes, the server destroys their SessionID and the user is
presented with a 401 error (and an authentication box). If the user
doesn't authenticate properly at this point, they are presented with an
UNAUTHORIZED page. This is correct behavior. However, if the user hits
"refresh" in any number of browsers (particularly IE), they are not
prompted with the usual Authentication box, but are simply allowed into
the page. I guess the browser auto sends the username/passwd string.
So the security hole in this is obvious. From a server standpoint, this is
still correct behavior. I know Apache says that this is a browser issue
and not a server issue. I agree with this point, too, but Microsoft isn't
about to start changing their browser to do this function anytime in the
near future. There might be options to do this in the browser already, but
it is hardly a default setting.
I could use a cookie or session to generate some sort of token to get my
desired behavior, but I have another solution so I don't have to touch my
Application that resides on the webserver. AuthName (the Realm) is the
key, from what I understand, to bringing up the Authentication. The
browser brings up the authentication even if the URL is the same and the
Realm is different.
I thought that instead of having AuthName in the .htaccess file, the name
could be generated from code and sent to the browser and it would remain
part of the session. If the session times out or a new session is
activated, a new Realm name is generated. I know this wouldn't solve all
problems, but it WOULD solve this one.
My question is: does anyone have an Apache module that would solve this or
have they heard of one? Is this random Realm thing a good idea or is it
crud? Anyone have a better idea that wouldn't require a change in the
application code. Changing the web application is a possibility, but it's
my desire not to change it.
I am using Apache 1.3.x. I am using Perl Auth_DBI to do my Basic
Authentication scheme.
Thanks!
d
--
David Bernick
bernz@bernztech.org
Age before beauty; and pearls before swine.
-- Dorothy Parker
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache and improper timeout
Posted by David Bernick <be...@alpha.bernztech.org>.
> Can't answer your questions, but I am interested in how you did the forced
> timeout, destruction of session ID and presentation of authentication box.
in the Auth_DBI module for perl, we have each successful login (and
subsequent page view) renew a timestamp and if the timestamp is more than
20 minutes old, we force an auth.
--
David Bernick
bernz@bernztech.org
The Moral Majority is neither.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Apache and improper timeout
Posted by MikeParton <mi...@nimblesdg.com>.
David -
Can't answer your questions, but I am interested in how you did the forced
timeout, destruction of session ID and presentation of authentication box.
TIA
Mike
----- Original Message -----
From: "David Bernick" <be...@alpha.bernztech.org>
To: <us...@httpd.apache.org>
Sent: Tuesday, June 11, 2002 11:32 PM
Subject: Apache and improper timeout
>
> In Apache, I have set a force timeout to the authentication. If a user is
> idle for 20 minutes, the server destroys their SessionID and the user is
> presented with a 401 error (and an authentication box). If the user
> doesn't authenticate properly at this point, they are presented with an
> UNAUTHORIZED page. This is correct behavior. However, if the user hits
> "refresh" in any number of browsers (particularly IE), they are not
> prompted with the usual Authentication box, but are simply allowed into
> the page. I guess the browser auto sends the username/passwd string.
>
> So the security hole in this is obvious. From a server standpoint, this is
> still correct behavior. I know Apache says that this is a browser issue
> and not a server issue. I agree with this point, too, but Microsoft isn't
> about to start changing their browser to do this function anytime in the
> near future. There might be options to do this in the browser already, but
> it is hardly a default setting.
>
> I could use a cookie or session to generate some sort of token to get my
> desired behavior, but I have another solution so I don't have to touch my
> Application that resides on the webserver. AuthName (the Realm) is the
> key, from what I understand, to bringing up the Authentication. The
> browser brings up the authentication even if the URL is the same and the
> Realm is different.
>
> I thought that instead of having AuthName in the .htaccess file, the name
> could be generated from code and sent to the browser and it would remain
> part of the session. If the session times out or a new session is
> activated, a new Realm name is generated. I know this wouldn't solve all
> problems, but it WOULD solve this one.
>
> My question is: does anyone have an Apache module that would solve this or
> have they heard of one? Is this random Realm thing a good idea or is it
> crud? Anyone have a better idea that wouldn't require a change in the
> application code. Changing the web application is a possibility, but it's
> my desire not to change it.
>
> I am using Apache 1.3.x. I am using Perl Auth_DBI to do my Basic
> Authentication scheme.
>
> Thanks!
>
> d
>
> --
> David Bernick
> bernz@bernztech.org
>
> Age before beauty; and pearls before swine.
> -- Dorothy Parker
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org