You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Thomas Fazekas <th...@gmail.com> on 2022/06/05 09:59:31 UTC
[users@httpd] nod_session SessionMaxAge
Dear all,
either I misunderstood how the SessionMaxAge setting is supposed to work or
I made a fundamental mistake in my setup, but, in a nutshell, it seems that
the users can access the form protected (form_auth) folder even after the
session has expired.
I have the following related setup :
<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
AuthFormProvider file
AuthUserFile "conf/passwd"
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc/login.html
</Directory>
<IfModule alias_module>
Alias /webdoc /opt/webroot/public/doc
ScriptAlias /webscr /opt/webroot/private_form/scr
</IfModule>
(all this goes on via SSL, just in case that makes any difference)
Now, when the first time I point my browser to "
https://localhost/webscr/testscript" I am correctly redirected to the login
page and required to provide a username and pass.
The problem is that, after successfully logging in, even though I can see
the session cookie expiration set to 2 mins, if I wait longer than that
without closing my browser,
in case of a simple refresh of the page I'm being allowed back in without
needing to re-authenticate.
The "https://localhost/webscr/testscript" it's just a simple shell script
that returns all environment variables.
Now, even though I keep the browser open, if I refresh the page after the
expiration period shouldn't I be forced to the login page again ? What am I
missing ?
Thanks in advance,
Thomas
Re: [users@httpd] nod_session SessionMaxAge
Posted by Thomas Fazekas <th...@gmail.com>.
Thx for the quick reply ... and my apologies for the incomplete setup
(copy-paste typo)
I do have in fact an authentication requirement via "Require valid-user"
(as a point proving that, when the first time I try to access the script I
am redirected to the login page)
I think I know what is happening : whenever my session expires and I
refresh the page the browser simply resubmits the form so it logs me in
again :
[image: image.png]
So if I'm right, the question would be, how do I protect the site against
that ?
On Sun, Jun 5, 2022 at 12:19 PM Eric Covener <co...@gmail.com> wrote:
> It looks to me like you don't actually have an authentication requirement,
> so when your session expires it doesn't trigger a redirect to your login
> form. Try protecting the cgi or some larger scope with e.g. 'require
> valid-user'
>
> On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <th...@gmail.com>
> wrote:
>
>> Dear all,
>>
>> either I misunderstood how the SessionMaxAge setting is supposed to work
>> or I made a fundamental mistake in my setup, but, in a nutshell, it seems
>> that the users can access the form protected (form_auth) folder even after
>> the session has expired.
>>
>> I have the following related setup :
>>
>> <Directory /opt/webroot/public>
>> Options None
>> AllowOverride None
>> Require all granted
>> </Directory>
>>
>> <Directory /opt/webroot/private_form>
>> AuthFormProvider file
>> AuthUserFile "conf/passwd"
>> AuthType Form
>> AuthName FormProtected
>> AuthFormUsername fauser
>> AuthFormPassword fapass
>> Session On
>> SessionCookieName fasession path=/
>> SessionMaxAge 120
>>
>> ErrorDocument 401 /webdoc/login.html
>> </Directory>
>>
>> <IfModule alias_module>
>> Alias /webdoc /opt/webroot/public/doc
>> ScriptAlias /webscr /opt/webroot/private_form/scr
>> </IfModule>
>>
>> (all this goes on via SSL, just in case that makes any difference)
>> Now, when the first time I point my browser to "
>> https://localhost/webscr/testscript" I am correctly redirected to the
>> login page and required to provide a username and pass.
>> The problem is that, after successfully logging in, even though I can see
>> the session cookie expiration set to 2 mins, if I wait longer than that
>> without closing my browser,
>> in case of a simple refresh of the page I'm being allowed back in without
>> needing to re-authenticate.
>>
>> The "https://localhost/webscr/testscript" it's just a simple shell
>> script that returns all environment variables.
>>
>> Now, even though I keep the browser open, if I refresh the page after the
>> expiration period shouldn't I be forced to the login page again ? What am I
>> missing ?
>>
>> Thanks in advance,
>> Thomas
>>
>>
>>
Re: [users@httpd] nod_session SessionMaxAge
Posted by Thomas Fazekas <th...@gmail.com>.
Eric,
I'm not sure I understand your last comment. Isn't a "Directory" a
"protected space" ?
For the sake of completeness here is my full config (I hope this doesn't
make my post too long):
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /opt/webroot/public/doc
ErrorLog ${APACHE_LOG_DIR}/https_error.log
#CustomLog ${APACHE_LOG_DIR}/https_access.log combined
CustomLog ${APACHE_LOG_DIR}/https_access.log vhost_ssl_combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server/https.crt
SSLCertificateKeyFile /etc/apache2/ssl/server/https.key
#SSLCACertificatePath /etc/apache2/ssl/ca/
SSLCACertificateFile /etc/apache2/ssl/ca/users_chain.crt
<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
Options Indexes
AllowOverride None
AuthFormProvider file
AuthUserFile "conf/passwd"
Require valid-user
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc1/login.html
SSLOptions +StdEnvVars +ExportCertData
</Directory>
<IfModule alias_module>
Alias /webdoc1 /opt/webroot/public/doc
ScriptAlias /webscr1 /opt/webroot/private_form/scr
</IfModule>
</VirtualHost>
</IfModule>
In the "/opt/webroot/public/doc" folder I have a simple static html asking
for username/pass (obviously with the right field names fauser/fapass)
whereas in the "/opt/webroot/private_form/scr" I have a simple shell
script which just displays the environment.
Now if I point my browser to "https://172.17.0.3:13443/webscr1/testscript.sh"
I am redirected to the login page (as expected).
Once I provide the username/pass I am redirected to the script and it
correctly lists all environment variables.
The problem I have is that it seems that the browser caches the provided
username/pass and in case I refresh the page after 120 secs of inactivity
it just simply logs me in again.
I know it does authenticate again from the cache 'cos (as a test) I've
tried to change the password in the meanwhile and the authentication has
failed.
In practical terms, what this means is that if the user forgets the
browser window open the next one (even after 120 secs) would be able to
use the session without re-authenticating.
So then what's the point of the "SessionMaxAge" setting ?
On Sun, Jun 5, 2022 at 12:54 PM Eric Covener <co...@gmail.com> wrote:
> I'm not sure why your initial redirect works, but it looks like the
> mod_auth_form config seems to be in the wrong scope.
>
> It should be attached to the protected space, not a config section
> representing the form itself.
>
> On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <co...@gmail.com> wrote:
> >
> > It looks to me like you don't actually have an authentication
> requirement, so when your session expires it doesn't trigger a redirect to
> your login form. Try protecting the cgi or some larger scope with e.g.
> 'require valid-user'
> >
> > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <th...@gmail.com>
> wrote:
> >>
> >> Dear all,
> >>
> >> either I misunderstood how the SessionMaxAge setting is supposed to
> work or I made a fundamental mistake in my setup, but, in a nutshell, it
> seems that the users can access the form protected (form_auth) folder even
> after the session has expired.
> >>
> >> I have the following related setup :
> >>
> >> <Directory /opt/webroot/public>
> >> Options None
> >> AllowOverride None
> >> Require all granted
> >> </Directory>
> >>
> >> <Directory /opt/webroot/private_form>
> >> AuthFormProvider file
> >> AuthUserFile "conf/passwd"
> >> AuthType Form
> >> AuthName FormProtected
> >> AuthFormUsername fauser
> >> AuthFormPassword fapass
> >> Session On
> >> SessionCookieName fasession path=/
> >> SessionMaxAge 120
> >>
> >> ErrorDocument 401 /webdoc/login.html
> >> </Directory>
> >>
> >> <IfModule alias_module>
> >> Alias /webdoc /opt/webroot/public/doc
> >> ScriptAlias /webscr
> /opt/webroot/private_form/scr
> >> </IfModule>
> >>
> >> (all this goes on via SSL, just in case that makes any difference)
> >> Now, when the first time I point my browser to "
> https://localhost/webscr/testscript" I am correctly redirected to the
> login page and required to provide a username and pass.
> >> The problem is that, after successfully logging in, even though I can
> see the session cookie expiration set to 2 mins, if I wait longer than that
> without closing my browser,
> >> in case of a simple refresh of the page I'm being allowed back in
> without needing to re-authenticate.
> >>
> >> The "https://localhost/webscr/testscript" it's just a simple shell
> script that returns all environment variables.
> >>
> >> Now, even though I keep the browser open, if I refresh the page after
> the expiration period shouldn't I be forced to the login page again ? What
> am I missing ?
> >>
> >> Thanks in advance,
> >> Thomas
> >>
> >>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] nod_session SessionMaxAge
Posted by Eric Covener <co...@gmail.com>.
I'm not sure why your initial redirect works, but it looks like the
mod_auth_form config seems to be in the wrong scope.
It should be attached to the protected space, not a config section
representing the form itself.
On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <co...@gmail.com> wrote:
>
> It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user'
>
> On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <th...@gmail.com> wrote:
>>
>> Dear all,
>>
>> either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired.
>>
>> I have the following related setup :
>>
>> <Directory /opt/webroot/public>
>> Options None
>> AllowOverride None
>> Require all granted
>> </Directory>
>>
>> <Directory /opt/webroot/private_form>
>> AuthFormProvider file
>> AuthUserFile "conf/passwd"
>> AuthType Form
>> AuthName FormProtected
>> AuthFormUsername fauser
>> AuthFormPassword fapass
>> Session On
>> SessionCookieName fasession path=/
>> SessionMaxAge 120
>>
>> ErrorDocument 401 /webdoc/login.html
>> </Directory>
>>
>> <IfModule alias_module>
>> Alias /webdoc /opt/webroot/public/doc
>> ScriptAlias /webscr /opt/webroot/private_form/scr
>> </IfModule>
>>
>> (all this goes on via SSL, just in case that makes any difference)
>> Now, when the first time I point my browser to "https://localhost/webscr/testscript" I am correctly redirected to the login page and required to provide a username and pass.
>> The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser,
>> in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate.
>>
>> The "https://localhost/webscr/testscript" it's just a simple shell script that returns all environment variables.
>>
>> Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ?
>>
>> Thanks in advance,
>> Thomas
>>
>>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] nod_session SessionMaxAge
Posted by Eric Covener <co...@gmail.com>.
It looks to me like you don't actually have an authentication requirement,
so when your session expires it doesn't trigger a redirect to your login
form. Try protecting the cgi or some larger scope with e.g. 'require
valid-user'
On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <th...@gmail.com>
wrote:
> Dear all,
>
> either I misunderstood how the SessionMaxAge setting is supposed to work
> or I made a fundamental mistake in my setup, but, in a nutshell, it seems
> that the users can access the form protected (form_auth) folder even after
> the session has expired.
>
> I have the following related setup :
>
> <Directory /opt/webroot/public>
> Options None
> AllowOverride None
> Require all granted
> </Directory>
>
> <Directory /opt/webroot/private_form>
> AuthFormProvider file
> AuthUserFile "conf/passwd"
> AuthType Form
> AuthName FormProtected
> AuthFormUsername fauser
> AuthFormPassword fapass
> Session On
> SessionCookieName fasession path=/
> SessionMaxAge 120
>
> ErrorDocument 401 /webdoc/login.html
> </Directory>
>
> <IfModule alias_module>
> Alias /webdoc /opt/webroot/public/doc
> ScriptAlias /webscr /opt/webroot/private_form/scr
> </IfModule>
>
> (all this goes on via SSL, just in case that makes any difference)
> Now, when the first time I point my browser to "
> https://localhost/webscr/testscript" I am correctly redirected to the
> login page and required to provide a username and pass.
> The problem is that, after successfully logging in, even though I can see
> the session cookie expiration set to 2 mins, if I wait longer than that
> without closing my browser,
> in case of a simple refresh of the page I'm being allowed back in without
> needing to re-authenticate.
>
> The "https://localhost/webscr/testscript" it's just a simple shell script
> that returns all environment variables.
>
> Now, even though I keep the browser open, if I refresh the page after the
> expiration period shouldn't I be forced to the login page again ? What am I
> missing ?
>
> Thanks in advance,
> Thomas
>
>
>