httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Evans <>
Subject Re: [users@httpd] using mod auth_mysql with apache for authentication
Date Tue, 09 Aug 2011 11:42:11 GMT
On Tue, Aug 9, 2011 at 12:13 PM, Tom Browder <> wrote:
> On Tue, Aug 9, 2011 at 05:07, Tom Evans <> wrote:
>> On Tue, Aug 9, 2011 at 4:42 AM, Rajeev Prasad <> wrote:
> ...
>>> currently i haveĀ  mod auth_mysql configured and running as plaintext
>>> password:
> ...
>>> 2. how can i get a user log out once the browser tab isĀ  closed. seems i
>>> have to close the browser and reopen, then only i am presented login box.
> ...
>> I can only answer 2)
>> When you authenticate with basic auth, you do not 'log in' or 'log
>> out', authentication is performed on every single request. Browsers
>> cache basic auth credentials and resubmit them on every request, until
>> the server responds with a 401 response (authentication required), at
>> which point the browser will prompt for new credentials.
> Is there a way to do that on a regular time interval, say every 20 min?
> Best regards,
> -Tom

Not easily. I ported a legacy application that required authentication
by basic auth to an SSO solution. One of the key criteria was that
authentication should work precisely as it did before, even if it was
now actually authenticating against a SAML Identity Provider.

Anyhow, in this scenario I was able to collect the credentials from
the basic auth request, authenticate against the IdP, and store the
authorization in the user's session, along with the username supplied
from basic auth. When the user clicked logout, this simply removed the
authorization from the user's session, so that their access is
immediately removed. The user's browser at that point is still sending
basic auth along with every request, but the system does not act on it
due to it matching the username in the user's session.

If/when the 'logged out' user clicks on the login again, we remove the
stored username from the session, and return a 401 to force the
browser to re-request auth credentials.

If this sounds overly complex, it was. It was also only achievable
through the custom handlers/auth modules we wrote for this, you
wouldn't be able to get the same effect with just Apache authnz.

Thankfully, a few months afterwards the project manager acquiesced and
allowed us to redesign the site with form based login. Welcome to the
20th century :)



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message