httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Maul <jm...@elih.org>
Subject Re: [users@httpd] kill .htaccess session
Date Tue, 13 Jul 2004 18:08:32 GMT
Quoting Joshua Slive <jslive@gmail.com>:

> On Tue, 13 Jul 2004 12:38:24 -0500, redhat <redhat@fayelectric.com> wrote:
>> I have a few Linux servers that use internally for some minor web
>> applications that I have written.  Most of these are used only by myself
>> and my assistant.  I have some sensitive information on here as well as
>> other information that I need when going from one user's computer to
>> another that needs to be kept private.  I tried using PHP and MySQL
>> authorization and got it to work on the parent page but if someone
>> pulled up the history and went to a subsequent page it would let them
>> right in without user/pass.  I like .htaccess because it keeps the
>> entire directory secure enough for me.  My problem is this, it seems to
>> keep the session open for an unspecified period of time.  I know in PHP
>> I can kill the session by issuing another variable with a null value.
>> How can I do this using .htaccess?  Any help appreciated.
>
> This is basically impossible.
>

I pretty much agree with this.

> To start, the session is entirely in the hands of the browser.  The
> browser chooses when to send a password and when not to.  Most
> browsers will only forget the password if you shut them down.
>
> Googling for "htaccess logout" will give you various ideas for trying
> to trick the browser into forgetting the password.  But I don't know
> of any that are foolproof.
>

I've tried for about 2 months (off and on) to come up with a secure way to do
authentication with .htaccess and provide a logout with timeout.  I kept
running into problems that finally caused me to use custom auth 
programming and
php sessions.  There is no standard way that i know of to REALLY log the user
out using .htaccess.  Browsers are just not standard enough.

Jim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message