You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Wallace, Brian S." <wa...@ornl.gov> on 2004/08/31 20:52:45 UTC

[users@httpd] Adding timeouts to Apache 2.0

Hi:

 

I am adding code to Apache 2.0 to provide a timeout for all
authenticated content.  I have everything working, but because browsers
use cached credentials, I cannot be sure that the user re-authenticated
or the browser re-authenticated.  I change the realm name and do a
HTTP_UNAUTHORIZED response to trick the browser into prompting the user.
However, if the user types the password in wrong or cancels the
authentication process, I can't be sure that the next successful
authentication came from my original HTTP_UNAUTHORIZED response or not.

 

Are there any tricks that can be done like telling the browser to clear
the password cache or have the browser return the realm name that it's
authenticating to?  Any other ideas or approaches to this problem would
be appreciated.

 

Thanks,

 

Brian S. Wallace

 

Oak Ridge National Laboratory
P. O. Box 2008, MS 6025
Oak Ridge, Tennessee  37831-6025

 

Voice (865) 576-3193
Fax   (865) 241-4000

Re: [users@httpd] Adding timeouts to Apache 2.0

Posted by Jim Maul <jm...@elih.org>.

Quoting "Wallace, Brian S." <wa...@ornl.gov>:

> Hi:
>
>
>
> I am adding code to Apache 2.0 to provide a timeout for all
> authenticated content.  I have everything working, but because browsers
> use cached credentials, I cannot be sure that the user re-authenticated
> or the browser re-authenticated.  I change the realm name and do a
> HTTP_UNAUTHORIZED response to trick the browser into prompting the user.
> However, if the user types the password in wrong or cancels the
> authentication process, I can't be sure that the next successful
> authentication came from my original HTTP_UNAUTHORIZED response or not.
>
>
>
> Are there any tricks that can be done like telling the browser to clear
> the password cache or have the browser return the realm name that it's
> authenticating to?  Any other ideas or approaches to this problem would
> be appreciated.
>
>
>

This seems to be asked every day in some form or another.  I admit your 
approach
seems somewhat different than the standard "how can i create a login/logout
system using basic auth" problem however it still suffers from the same
drawbacks every other method has - it relies on the client.  This is basically
never going to work reliably because you can never really trust that 
the client
is going to do what you think it is going to do.  The only real way to do this
is to implement the login/logout system server side so you can control what is
actually happening.  PHP Sessions are a good start for this.

hth,

Jim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org