You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Roger Paanini <ro...@gmail.com> on 2016/08/23 20:26:15 UTC
[users@httpd] httpd session timeout
Folks, I have tried to configure httpd with session timeout but it does not
seem to work.
My httpd.conf has the following:
Session on
SessionMaxAge 1
AuthType Basic
***
I was trying to put a timeout value of 1 sec just to test. This is not
working. Am I missing something?
Thanks for any pointers on this.
Re: [users@httpd] httpd session timeout
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Roger,
On 8/24/16 9:53 AM, Roger Paanini wrote:
> Chris, I am testing it by logging into the website using basic
> authentication and then waiting for the time out duration and try
> to access the page again. I am expecting to be challenged for
> credentials again when I tried to access the page after the
> timeout. But I am never challenged after the timeout - ever after
> several hours beyond the timeout value.
You are misunderstanding the nature of HTTP BASIC authentication.
If the server sends a 403 response, your browser will show an
authentication dialog (username/password) and then provide those
credentials to the server with a follow-up request for the same
resource. For subsequent requests, those same credentials will be sent
with no end-date. HTTP BASIC has no provision for "session expiration"
as a part of the spec (that's why it's called "BASIC").
If you want to *really* expire the session and request a new
authentication challenge, you'll need to do it yourself. For example:
when authentication succeeds, place a token in the session that says
"last authenticated request". But before you do that, check the
session to see when the last authenticated request actually was. If it
was more than e.g. 60 seconds ago, *you* need to respond with an HTTP
403 response. httpd is not going to do this for you.
> But I see the following messages in my log file... I suspect my
> session modules are not configured correctly?
I'm sure your session modules are configured correctly. You just
misunderstand what the protocol (and httpd) can do for you, and what
you will have to do yourself.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXvb1IAAoJEBzwKT+lPKRYu9wQAMCaHmD1G4xNoUgClAJffnlf
kbhRF1hpjCmmGuOHqa19hbbttj0JuadNsFugAuRc0eSpJ0DUe/zlGZuX/YqitZLU
uiVCQVtXQ8nScmC/9WQjkSCB6NHJRXtUINItReu87NEGaWNUDeglyIHCerWK/zw/
yIUykBTT6qsxGL/i14W7ijL8GM9oN37jdlK+Bpakp8jMYChkbduYJVL3X70DxgyD
+oA7hzkq7Gjrmoj8BwJY1OhPnTELj22YTe6mr3KqephTmMN6LC9PWRzeLFgIN0ad
DBFnFKoMJxSAobvpoG40xeFIGWZAnNVmzHDJbHGllvgeD6X6i3ojH29U9kMSFutL
TOy8tBVCJQDe0e2LxXUbW5Imc1j4bXfMIkqBB3EVJB8oU8Fi9yygvcKCpy6WZkFp
n/q6uh3nu9jqHGQfyFviRmS0iEGMxoPSbKnnEzITOR7LPRUYaitiNPPbjie37ySi
kl/w4/1EzWzDd2HQf1wXd0b/UD+ach5S0KjgDVoTiESuc35EJCe2+bPYavoVtOZu
egYhEBIsc0ffcs3cz8cY3/66djGsKVtsJNHuXOnxAw/WTs2gFKSwOr3C0ARp4MBY
Zc1WPx7UqnYVDrG7bLDxvPKJsK/clD9Av++192dgB6M+VOmYepWFFaUYkfvScnsP
0S/3bmTlc6HKfTcldyNK
=ZqEH
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] httpd session timeout
Posted by Marat Khalili <mk...@rqc.ru>.
> I am testing it by logging into the website using basic authentication [...]
Session you are observing is browser-based, not server-based. Your browser repeats once learned credentials in every request until it's restarted (may depend on the browser of course). And server verifies credentials of every request, there's no session or timeout for HTTP authentication.
--
With Best Regards,
Marat Khalili
On August 24, 2016 4:53:28 PM GMT+03:00, Roger Paanini <ro...@gmail.com> wrote:
>Chris, I am testing it by logging into the website using basic
>authentication and then waiting for the time out duration and try to
>access
>the page again. I am expecting to be challenged for credentials again
>when
>I tried to access the page after the timeout. But I am never challenged
>after the timeout - ever after several hours beyond the timeout value.
>
>But I see the following messages in my log file... I suspect my session
>modules are not configured correctly?
>
>[Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid
>140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but
>no
>session modules have been configured, session not loaded:
>
>I have the following in my httpd.conf:
>
>LoadModule session_module modules/mod_session.so
>LoadModule session_cookie_module modules/mod_session_cookie.so
>#LoadModule session_dbd_module modules/mod_session_dbd.so
>***
><Location />
> Session on
> SessionMaxAge 1
> AuthType Basic
> AuthLDAPBindDN "xxxxx"
> AuthLDAPBindPassword "xxxx"
> AuthBasicProvider ldap
> AuthName "LDAP - login"
> AuthLDAPURL "xxxxx"
> Require valid-user
> Require ldap-group "xxxx"
> AuthLDAPRemoteUserAttribute uid
></Location>
>
>Any thoughts on what I am missing?
>
>Thanks!
>
>
>
>On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz <
>chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Roger,
>>
>> On 8/23/16 4:26 PM, Roger Paanini wrote:
>> > Folks, I have tried to configure httpd with session timeout but it
>> > does not seem to work. My httpd.conf has the following:
>> >
>> > Session on SessionMaxAge 1 AuthType Basic ***
>> >
>> > I was trying to put a timeout value of 1 sec just to test. This is
>> > not working. Am I missing something?
>> >
>> > Thanks for any pointers on this.
>>
>> How are you testing it? What did you expect? What happened if it
>> wasn't what you expected?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
>> 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
>> v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
>> DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
>> /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
>> 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
>> eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
>> 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
>> OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
>> b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
>> 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
>> TLNlGhmIB+eqb5dW9LnK
>> =9Yn+
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
Re: [users@httpd] httpd session timeout
Posted by Roger Paanini <ro...@gmail.com>.
Forgot to mention... I am using httpd as a reverse proxy. But the
downstream server has no notion of a user or sessions.
On Wed, Aug 24, 2016 at 8:53 AM, Roger Paanini <ro...@gmail.com>
wrote:
> Chris, I am testing it by logging into the website using basic
> authentication and then waiting for the time out duration and try to access
> the page again. I am expecting to be challenged for credentials again when
> I tried to access the page after the timeout. But I am never challenged
> after the timeout - ever after several hours beyond the timeout value.
>
> But I see the following messages in my log file... I suspect my session
> modules are not configured correctly?
>
> [Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid
> 140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but no
> session modules have been configured, session not loaded:
>
> I have the following in my httpd.conf:
>
> LoadModule session_module modules/mod_session.so
> LoadModule session_cookie_module modules/mod_session_cookie.so
> #LoadModule session_dbd_module modules/mod_session_dbd.so
> ***
> <Location />
> Session on
> SessionMaxAge 1
> AuthType Basic
> AuthLDAPBindDN "xxxxx"
> AuthLDAPBindPassword "xxxx"
> AuthBasicProvider ldap
> AuthName "LDAP - login"
> AuthLDAPURL "xxxxx"
> Require valid-user
> Require ldap-group "xxxx"
> AuthLDAPRemoteUserAttribute uid
> </Location>
>
> Any thoughts on what I am missing?
>
> Thanks!
>
>
>
> On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Roger,
>>
>> On 8/23/16 4:26 PM, Roger Paanini wrote:
>> > Folks, I have tried to configure httpd with session timeout but it
>> > does not seem to work. My httpd.conf has the following:
>> >
>> > Session on SessionMaxAge 1 AuthType Basic ***
>> >
>> > I was trying to put a timeout value of 1 sec just to test. This is
>> > not working. Am I missing something?
>> >
>> > Thanks for any pointers on this.
>>
>> How are you testing it? What did you expect? What happened if it
>> wasn't what you expected?
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
>> 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
>> v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
>> DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
>> /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
>> 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
>> eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
>> 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
>> OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
>> b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
>> 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
>> TLNlGhmIB+eqb5dW9LnK
>> =9Yn+
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] httpd session timeout
Posted by Roger Paanini <ro...@gmail.com>.
Chris, I am testing it by logging into the website using basic
authentication and then waiting for the time out duration and try to access
the page again. I am expecting to be challenged for credentials again when
I tried to access the page after the timeout. But I am never challenged
after the timeout - ever after several hours beyond the timeout value.
But I see the following messages in my log file... I suspect my session
modules are not configured correctly?
[Wed Aug 24 08:41:46.851228 2016] [session:warn] [pid 61410:tid
140098663421696] [client x.x.x.x:5675] AH01815: session is enabled but no
session modules have been configured, session not loaded:
I have the following in my httpd.conf:
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
***
<Location />
Session on
SessionMaxAge 1
AuthType Basic
AuthLDAPBindDN "xxxxx"
AuthLDAPBindPassword "xxxx"
AuthBasicProvider ldap
AuthName "LDAP - login"
AuthLDAPURL "xxxxx"
Require valid-user
Require ldap-group "xxxx"
AuthLDAPRemoteUserAttribute uid
</Location>
Any thoughts on what I am missing?
Thanks!
On Tue, Aug 23, 2016 at 3:29 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Roger,
>
> On 8/23/16 4:26 PM, Roger Paanini wrote:
> > Folks, I have tried to configure httpd with session timeout but it
> > does not seem to work. My httpd.conf has the following:
> >
> > Session on SessionMaxAge 1 AuthType Basic ***
> >
> > I was trying to put a timeout value of 1 sec just to test. This is
> > not working. Am I missing something?
> >
> > Thanks for any pointers on this.
>
> How are you testing it? What did you expect? What happened if it
> wasn't what you expected?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
> 3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
> v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
> DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
> /St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
> 1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
> eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
> 0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
> OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
> b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
> 1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
> TLNlGhmIB+eqb5dW9LnK
> =9Yn+
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] httpd session timeout
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Roger,
On 8/23/16 4:26 PM, Roger Paanini wrote:
> Folks, I have tried to configure httpd with session timeout but it
> does not seem to work. My httpd.conf has the following:
>
> Session on SessionMaxAge 1 AuthType Basic ***
>
> I was trying to put a timeout value of 1 sec just to test. This is
> not working. Am I missing something?
>
> Thanks for any pointers on this.
How are you testing it? What did you expect? What happened if it
wasn't what you expected?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXvLIwAAoJEBzwKT+lPKRYWnAP/Ax2yBWc8laAbRC3jKTA7TlI
3Y5kfIrJi8tiNfzga/PXUWR82b6KmjMbXD5VKlD98YFFJhOjlMF8JSqV1MQIX1Lu
v9mfjkasfwhapPGtlksecNzJEA2KtSS+sLZfg5m1gPmv9R8sH5A6aFICmwVs87b8
DcZK/e/4STGvzGs6hGwQGaSgDDT3H4UFZqrLPCHx/jK85wNDkIZ+rHodzsLXjD9Y
/St2ER0bCWr090v0s/sKqKP28g7WrXBCiqh/MpCnIJ70B798GEmGI3sXnepFKSWV
1IzsK8J8KAufGY24XCgRMXad1TshaftnPiTIGmZ6pPesyq8sc4Rr8FN/Mo7xvR3Z
eSZYCJd639Ir76MHikCjVhgRzWphh82PN+9wf9hA7snk0yt+uFEsrcxTlURdErbB
0XWW7lKSor7R+OksK9HmL3izhEyNymXiOryRy5wBa2emlCajCoczy8XYy9CffkNq
OM81k343CdbdjLO5Z7AUdTIbnZjx5zGS9r6nVcf5uyg5j70ZuOyE1P6zft94KR4S
b6R2UMWUJ9aku7tzwP1cSox3DRSnhAI6VPXuwYiJYAZo6+kSTLCs0gW3Jb1q5nWj
1IF2lsGvZIqH0yqxZ49rgvYSnkCdp+pp3ZVFHfDED9LBD4B90tRzlQFI4QF0w5YV
TLNlGhmIB+eqb5dW9LnK
=9Yn+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] httpd session timeout
Posted by "Wasick, Tyler" <Ty...@teamcds.com>.
Check the logs for httpd.
From: Roger Paanini [mailto:rogerpaanini@gmail.com]
Sent: Tuesday, August 23, 2016 3:26 PM
To: users@httpd.apache.org
Subject: [users@httpd] httpd session timeout
Folks, I have tried to configure httpd with session timeout but it does not seem to work.
My httpd.conf has the following:
Session on
SessionMaxAge 1
AuthType Basic
***
I was trying to put a timeout value of 1 sec just to test. This is not working. Am I missing something?
Thanks for any pointers on this.
This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is prohibited. If you have received this e-mail in error, please immediately notify us by calling our Network Operations Center at +1 855 237 8324.