httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Bernick <>
Subject Apache and improper timeout
Date Wed, 12 Jun 2002 03:32:02 GMT

In Apache, I have set a force timeout to the authentication. If a user is
idle for 20 minutes, the server destroys their SessionID and the user is
presented with a 401 error (and an authentication box). If the user
doesn't authenticate properly at this point, they are presented with an
UNAUTHORIZED page. This is correct behavior. However, if the user hits
"refresh" in any number of browsers (particularly IE), they are not
prompted with the usual Authentication box, but are simply allowed into
the page. I guess the browser auto sends the username/passwd string.

So the security hole in this is obvious. From a server standpoint, this is
still correct behavior. I know Apache says that this is a browser issue
and not a server issue. I agree with this point, too, but Microsoft isn't
about to start changing their browser to do this function anytime in the
near future. There might be options to do this in the browser already, but
it is hardly a default setting. 

I could use a cookie or session to generate some sort of token to get my
desired behavior, but I have another solution so I don't have to touch my
Application that resides on the webserver. AuthName (the Realm) is the
key, from what I understand, to bringing up the Authentication. The
browser brings up the authentication even if the URL is the same and the
Realm is different.

I thought that instead of having AuthName in the .htaccess file, the name
could be generated from code and sent to the browser and it would remain
part of the session. If the session times out or a new session is
activated, a new Realm name is generated. I know this wouldn't solve all
problems, but it WOULD solve this one.

My question is: does anyone have an Apache module that would solve this or
have they heard of one? Is this random Realm thing a good idea or is it
crud? Anyone have a better idea that wouldn't require a change in the
application code. Changing the web application is a possibility, but it's
my desire not to change it.

I am using Apache 1.3.x. I am using Perl Auth_DBI to do my Basic
Authentication scheme.



David Bernick

Age before beauty; and pearls before swine.
		-- Dorothy Parker

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message