httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <>
Subject Re: [users@httpd] How to control access using Basic Authentication identifying sessions
Date Tue, 16 Sep 2003 09:57:35 GMT
David wrote:
> Q1. Since the browser is stateless, does it mean that when he goes on to
> another website/URL his browser does not know he is leaving my realm ?
> His browser will continue to send his credentials (i.e user ID and
> passwords) to the next URL /website ? If yes, are the confidentiality of
> my users' ID and password being compromised since they are being sent to
> another URL now.

No well-behaved browser will do that. It will not consider a resource on
another host or higher up in the URI to be the same "realm", and so not send
any credentials.

> Is there a way I can implement the effect of
> - something like a log out botton such that when the user clicks on it,
> he will 'exit' the protected server. When he tries to re-enter the realm
> again, he will have to enter his ID and password.

Yes, by terminating the session.

> - OR something like as soon as he exits the protected realm, his ID and
> password flushed(or something to that effect).

No, like Owen said, the browser will not let the server know the user is

> Any idea of how I can do this with just using HTTP server without CGIs
> or scripts.

No, you cannot do that. Perhaps there is a 3rd party module, but I'm not
aware of it. Doing this can be easy or complex, depending on your
requirements. Take a look at, and see what they have to
offer. The kind of authentication system you must make would work roughly
like this:

- A login page, where the user enter login/password and submit
- A script validates the credentials, and generate a unique "session id" and
   set it in a cookie, with a timeout.
- All protected resources must check for this cookie and redirect to the
   login page if not there.
(ok, not very well explained)

How to code this, is not appropriate on this list. If you search the net,
you will find thousands of resources on how to do this.

On another thought, it might be possible to do most of this by clever
configuration in Apache, by using basic authentication and cookies. I not
sure about that though...

Robert Andersson

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message