Re: nod_session SessionMaxAge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user'

On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote:
Dear all,

either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired.

I have the following related setup : 

                <Directory /opt/webroot/public>
                        Options None
                        AllowOverride None
                        Require all granted
                </Directory>

                <Directory /opt/webroot/private_form>
                        AuthFormProvider file
                        AuthUserFile "conf/passwd"
                        AuthType Form
                        AuthName FormProtected
                        AuthFormUsername fauser
                        AuthFormPassword fapass
                        Session On
                        SessionCookieName fasession path=/
                        SessionMaxAge 120
                                               
                        ErrorDocument 401 /webdoc/login.html
                </Directory>

                <IfModule alias_module>
                        Alias /webdoc /opt/webroot/public/doc
                        ScriptAlias /webscr /opt/webroot/private_form/scr
                </IfModule>

(all this goes on via SSL, just in case that makes any difference)
Now, when the first time I point my browser to "https://localhost/webscr/testscript" I am correctly redirected to the login page and required to provide a username and pass.
The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser,
in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate.

The "https://localhost/webscr/testscript" it's just a simple shell script that returns all environment variables.

Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ?

Thanks in advance,
Thomas



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux