I'm not sure why your initial redirect works, but it looks like the mod_auth_form config seems to be in the wrong scope. It should be attached to the protected space, not a config section representing the form itself. On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <covener@xxxxxxxxx> wrote: > > It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote: >> >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired. >> >> I have the following related setup : >> >> <Directory /opt/webroot/public> >> Options None >> AllowOverride None >> Require all granted >> </Directory> >> >> <Directory /opt/webroot/private_form> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> </Directory> >> >> <IfModule alias_module> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> </IfModule> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to "https://localhost/webscr/testscript"; I am correctly redirected to the login page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate. >> >> The "https://localhost/webscr/testscript"; it's just a simple shell script that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ? >> >> Thanks in advance, >> Thomas >> >> -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|