Return-Path: 
 <users-return-13011-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 6267 invoked by uid 500); 27 Aug 2002 11:40:51 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 6255 invoked from network); 27 Aug 2002 11:40:50 -0000
Received: from ns0b.swx.com (146.109.240.235)
  by daedalus.apache.org with SMTP; 27 Aug 2002 11:40:50 -0000
Received: from gate0a.unix.swx.ch (gate0a [192.168.252.17])
	by ns0b.swx.com (8.9.3+Sun/8.9.3) with ESMTP id NAA10394
	for <users@httpd.apache.org>; Tue, 27 Aug 2002 13:40:49 +0200 (MEST)
Received: from SOMEXEVS001.ex.ordersx.org (localhost [127.0.0.1])
	by gate0a.unix.swx.ch (8.9.3+Sun/8.9.3) with ESMTP id NAA06028
	for <users@httpd.apache.org>; Tue, 27 Aug 2002 13:40:49 +0200 (MEST)
X-Authentication-Warning: gate0a.unix.swx.ch: iscan owned process doing -bs
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
Date: Tue, 27 Aug 2002 13:40:49 +0200
Message-ID: 
 <14D1193E30E0894D8A773957C0AEE24AAA8C64@SOMEXEVS001.ex.ordersx.org>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [users@httpd] how to set apache authentication time out 
Thread-Index: AcJNugkIWY11aPl6R4iy38bAEilYxQAA4x8w
From: "Boyle Owen" <Owen.Boyle@swx.com>
To: <users@httpd.apache.org>
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: RE: [users@httpd] how to set apache authentication time out 

Authentication doesn't work like this. Apache is stateless and doesn't =
really know who is "logged in".

What really happens is that when someone requests a page from a =
"password protected" directory, apache responds with a "401 =
Unauthorized" response. The browser then pops up a challenge window and =
the user types in user and password. The browser then caches this data =
and sends it in an "Authorize" header with every subsequent request to =
that directory - thus creating the illusion of being logged in.

Apache has no sense of time on this and simply verifies every Authorize =
header against the AuthUserFile every time it receives a request. If it =
passes you get the page, if not you get 401 again.

To do what you want to do, you'd have to forget about authentication in =
apache and implement the whole scheme in CGI.

Rgds,

Owen Boyle

>-----Original Message-----
>From: lzx [mailto:lzx@netchina.com.cn]
>Sent: Dienstag, 27. August 2002 13:09
>To: users@httpd.apache.org
>Subject: [users@httpd] how to set apache authentication time out=20
>
>
>Hello, everyone
>
>I added a line in httpd.conf as:
>
>AccessFileName .htaccess
>
>And created ".htaccess" file in document root dir, as following
>
>order deny,allow
>deny from all
>allow from all
>AuthUserFile    /usr/apache/conf/passwd
>AuthGroupFile  /dev/null
>AuthName       Bypasswd
>AuthType       Basic
>
><Limit GET POST>
>require valid-user
></Limit>
>
>Now the authenticaion is ok. :-)
>
>But I need an additional function of time out, that is,=20
>make user invalid after a period of idle time, then=20
>user must relogin.  How should I do?
>I hope to make some configuration to complete it instead
>of writing a cgi to save cookie.
>
>Much thanks.
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org