httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Pasher <just...@newmediagateway.com>
Subject Re: [users@httpd] Is there any way that allows user to logout while using basic apache webserver authentication ?
Date Tue, 02 Sep 2008 22:21:41 GMT
jaweed ali wrote:
> Hi
>    I have apache with basic authentication setup with LDAP for users 
> credential. apache allow me to login on server but once a user login 
> to the webapplication and then even close the browser, the browser 
> still have Authentication Session safe. And next time if you just 
> visit same site the browser itself passes the uid/pssword to login the 
> website. which is really a security issue so any one can access site 
> from the PC.
> I also performed the senario such as
> 1: I setup my site as www.mysite.com/site 
> <http://www.mysite.com/site> and setup user1/passwd  as uid password 
> to access it
> 2: on the othere hand I  setup other directory say  
> www.mysite.com/logout <http://www.mysite.com/logout> and configured to 
> autenticate  logout/logout as userid password
>  
> if i access  www.mysite.com/site <http://www.mysite.com/site> by 
> passing   user1/pwsswd it successfully loging
> after that i access  www.mysite.com/logout 
> <http://www.mysite.com/logout>  with logout/logout successfullu but 
> the problem is that
> if i just access  www.mysite.com/site <http://www.mysite.com/site>  it 
> just allow me to loging witout asking user id password
>  
> so this way also doesnot provide a way to secure the site
>  
> Is there any way that i can follow to secure my site or there is no 
> way to secure site with apache when using basic authentication
>  
> Thanks

Are you using the "AuthType Basic" Apache directive or are you 
authentication the user via another means (such as a script that prompts 
for the username and password, then save it in a cookie)?

If it is the former, then their is no standard way to allow the user to 
"logout". Some browsers (i.e. Firefox) have plug-ins available that will 
allow you to clear the HTTP authentication information, but they do not 
come with the browser. When you close the browser, it automatically 
clears this authentication information. Are you SURE that you closed ALL 
browser windows?

If it is the latter (which actually sounds more likely, since you say 
the user is going to www.mysite.com/logout), then your code is probably 
setting a cookie with an expiration date in the future. The logout page 
is not properly clearing that cookie, so when you reopen the browse, the 
cookie is found and the user is automatically logged in. You would need 
to adjust your code so that it creates a cookie that is only active for 
the current session.

Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message