httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David" <amdaw...@starhub.net.sg>
Subject RE: [users@httpd] How to control access using Basic Authentication identifying sessions
Date Tue, 16 Sep 2003 10:59:57 GMT
Hi Boyle,

Really appreciate your help and advice. I now have a better
understanding.

I need to implement what I described pretty urgently. I wonder what will
be the fastest way to pick up the technique to implement what I propose
to do. 

If it requires me to learn CGI or something, what will be a good area to
start and what will be the quintessential stuffs I need to do. It will
of course be an excellent idea to pick up CGI really well but however,
this website thingie is really a very very small part of my current
project and I need to move on to other parts of it. 

Hope to hear from you! 

Regards, 
David
 

-----Original Message-----
From: Boyle Owen [mailto:Owen.Boyle@swx.com] 
Sent: 16 September 2003 18:04
To: users@httpd.apache.org
Subject: RE: [users@httpd] How to control access using Basic
Authentication identifying sessions

>-----Original Message-----
>From: David [mailto:amdawong@starhub.net.sg]
>
>I have couple of points to clarify with regards to
>" When the user "leaves your realm", all he does is go to a different
>URL.
>This means his browser sends a request to a different webserver
>somewhere else on the planet."
>
>Q1. Since the browser is stateless, does it mean that when he 
>goes on to
>another website/URL his browser does not know he is leaving my realm ?
>His browser will continue to send his credentials (i.e user ID and
>passwords) to the next URL /website ? 

No. The browser only sends the credentials to the protected directory.
If you have protected http::/your-site/private, then any requests for
http::/your-site/private/page.html,
http::/your-site/private/dir1/page2.html,
http::/your-site/private/dir1/dir2/dir3/page.html will all be sent with
credentials.

Requests for  http:://your-site/public/xyz or http://any-other-site/
will not contain the credentials.

>Q2. It seems to me that one will need to implement some kind of CGI or
>Cocoon stuff.... to get the effect of users logging out of our realm. 
>Is there a way I can implement the effect of 
>- something like a log out botton such that when the user clicks on it,
>he will 'exit' the protected server. When he tries to re-enter 
>the realm
>again, he will have to enter his ID and password.
>- OR something like as soon as he exits the protected realm, his ID and
>password flushed(or something to that effect). When he tries 
>to re enter
>the protected realm, he will be prompted to re-enter his ID and
>password. If this possible, I can easily implemented a link that is
>OUTSIDE the realm ... and publish a page that he is outside the
>protected realm and will require him to re-login again.

Won't work. If you go to an external URL, the browser will not send the
credentials, but it won't forget about them. When you return to the
protected realm again, the browser will remember that it needs
credentials, get them from its cache and send them with the request. You
need to flush the browser cache to get it to forget about them. Before
you ask, the server can't force the browser to do this.

The cache will get overwritten eventually - if the browser visits lots
of password sites, it will eventually forget about the first one. Or if
the browser is shut down and restarted, this usually flushes the cache.
But you can only advise the human to do this - you can't make the
browser do it.

>Any idea of how I can do this with just using HTTP server without CGIs
>or scripts. 

No. The Basic Authentication scheme is what it says - "basic". It is not
a trivial task to force stateful behaviour onto what is essentially a
stateless protocol. If you look at all the online banking applications
that exist, none of them use basic auth - they all use server-sided
programming and cookies to control state (try doing online banking with
cookies switched off in your browser - you'll get an error telling you
to switch it on again).

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 


>
>Regards
>David
>
>
>
>-----Original Message-----
>From: Boyle Owen [mailto:Owen.Boyle@swx.com] 
>Sent: 16 September 2003 16:39
>To: users@httpd.apache.org
>Subject: RE: [users@httpd] How to control access using Basic
>Authentication identifying sessions
>
>>-----Original Message-----
>>From: David [mailto:amdawong@starhub.net.sg]
>>
>>I need to implement a way such that once the user leaves my realm and
>>tries to re-enter my website, he will have to re-login again. This is
>>because if the computer is a public computer. A user may enter my
>>website using his user ID and password. If he doesn't close 
>>that browser
>>window and leaves that computer, another user will be able to enter my
>>website still.
>
>Check out http://httpd.apache.org/docs/howto/auth.html#basicfaq
>
>Just to be clear - HTTP is a stateless protocol. The concept of being
>"logged in" is an illusion. What happens is that the first time a user
>tries to access a restricted realm, the server responds with a 401
>Unauthorized. The browser is clever enough to recognise this and so,
>rather than reporting the 401, prompts the user for a 
>username/password.
>Once you type this in the browser requests the URI again, this time
>adding the username/password (aka *"credentials") to the request. On
>every subsequent request to that URI or its subdirectories, the browser
>adds the same credentials. 
>
>On the server side, the server first gets a plain request (no
>credentials), responds with 401, then later gets another request with
>credentials - if the credentials are OK, it serves the content. Note
>that the server doesn't know or care that the requests are coming from
>the same user - they are just a bunch of independent HTTP requests; if
>they have valid credentials they are served, if not - 401.
>
>When the user "leaves your realm", all he does is go to a 
>different URL.
>This means his browser sends a request to a different webserver
>somewhere else on the planet. He doesn't send a message to your server
>to say, "Ok thanks, I'm finished with you now. I'm going off to Google
>for a bit..." In other words, you have no way of knowing what the guy
>who just logged in is doing - he could've surfed off to a dozen
>different sites or could be avidly reading your page.
>
>Having said all that, there is a way to preserve state and that is to
>use cookies. A cookie is a small chunk of data which the browser caches
>and then returns with every subsequent request. You can put
>identification on the cookie so you know if the same guy has come back.
>A cookie can also "expire" so you can time-out a "connection". However,
>I don't think you can mix cookies with Basic Auth - the two mechanisms
>are quite separate so if you use cookies, you have to use CGI or Cocoon
>or something to handle the login and cookie administration.
>
>Cookies is a whole new can of worms, but this will get you started:
>http://httpd.apache.org/docs-2.0/mod/mod_usertrack.html
>
>Rgds,
>Owen Boyle
>Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
>>
>>Does anyone know how I can implement the above mentioned? 
>>1. Once they exit the protected realm (i.e. the protected folder in my
>>htdocs), when they re-enter the site again they will be asked for a
>>password.
>>
>>Many thanks for your time and attention. 
>>
>>Warmest Regards
>>David
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP 
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
>keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss 
>Exchange.
>This e-mail is of a private and personal nature. It is not related to
>the exchange or business activities of the SWX Swiss Exchange. Le
>présent e-mail est un message privé et personnel, sans rapport avec
>l'activité boursière de la SWX Swiss Exchange.
>
>This message is for the named person's use only. It may contain
>confidential, proprietary or legally privileged information. No
>confidentiality or privilege is waived or lost by any mistransmission.
>If you receive this message in error, please notify the sender urgently
>and then immediately delete the message and any copies of it from your
>system. Please also immediately destroy any hardcopies of the message.
>You must not, directly or indirectly, use, disclose, distribute, print,
>or copy any part of this message if you are not the intended recipient.
>The sender's company reserves the right to monitor all e-mail
>communications through their networks. Any views expressed in this
>message are those of the individual sender, except where the message
>states otherwise and the sender is authorised to state them to be the
>views of the sender's company. 
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange. 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message