Dear all,
either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired.
I have the following related setup :
<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
AuthFormProvider file
AuthUserFile "conf/passwd"
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc/login.html
</Directory>
<IfModule alias_module>
Alias /webdoc /opt/webroot/public/doc
ScriptAlias /webscr /opt/webroot/private_form/scr
</IfModule>
(all this goes on via SSL, just in case that makes any difference)
The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser,
in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate.
Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ?
Thanks in advance,
Thomas