httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] httpd session timeout
Date Wed, 24 Aug 2016 15:29:12 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Roger,

On 8/24/16 9:53 AM, Roger Paanini wrote:
> Chris, I am testing it by logging into the website using basic 
> authentication and then waiting for the time out duration and try
> to access the page again. I am expecting to be challenged for
> credentials again when I tried to access the page after the
> timeout. But I am never challenged after the timeout - ever after
> several hours beyond the timeout value.

You are misunderstanding the nature of HTTP BASIC authentication.

If the server sends a 403 response, your browser will show an
authentication dialog (username/password) and then provide those
credentials to the server with a follow-up request for the same
resource. For subsequent requests, those same credentials will be sent
with no end-date. HTTP BASIC has no provision for "session expiration"
as a part of the spec (that's why it's called "BASIC").

If you want to *really* expire the session and request a new
authentication challenge, you'll need to do it yourself. For example:
when authentication succeeds, place a token in the session that says
"last authenticated request". But before you do that, check the
session to see when the last authenticated request actually was. If it
was more than e.g. 60 seconds ago, *you* need to respond with an HTTP
403 response. httpd is not going to do this for you.

> But I see the following messages in my log file... I suspect my
> session modules are not configured correctly?

I'm sure your session modules are configured correctly. You just
misunderstand what the protocol (and httpd) can do for you, and what
you will have to do yourself.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXvb1IAAoJEBzwKT+lPKRYu9wQAMCaHmD1G4xNoUgClAJffnlf
kbhRF1hpjCmmGuOHqa19hbbttj0JuadNsFugAuRc0eSpJ0DUe/zlGZuX/YqitZLU
uiVCQVtXQ8nScmC/9WQjkSCB6NHJRXtUINItReu87NEGaWNUDeglyIHCerWK/zw/
yIUykBTT6qsxGL/i14W7ijL8GM9oN37jdlK+Bpakp8jMYChkbduYJVL3X70DxgyD
+oA7hzkq7Gjrmoj8BwJY1OhPnTELj22YTe6mr3KqephTmMN6LC9PWRzeLFgIN0ad
DBFnFKoMJxSAobvpoG40xeFIGWZAnNVmzHDJbHGllvgeD6X6i3ojH29U9kMSFutL
TOy8tBVCJQDe0e2LxXUbW5Imc1j4bXfMIkqBB3EVJB8oU8Fi9yygvcKCpy6WZkFp
n/q6uh3nu9jqHGQfyFviRmS0iEGMxoPSbKnnEzITOR7LPRUYaitiNPPbjie37ySi
kl/w4/1EzWzDd2HQf1wXd0b/UD+ach5S0KjgDVoTiESuc35EJCe2+bPYavoVtOZu
egYhEBIsc0ffcs3cz8cY3/66djGsKVtsJNHuXOnxAw/WTs2gFKSwOr3C0ARp4MBY
Zc1WPx7UqnYVDrG7bLDxvPKJsK/clD9Av++192dgB6M+VOmYepWFFaUYkfvScnsP
0S/3bmTlc6HKfTcldyNK
=ZqEH
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message