It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user'On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote:Dear all,either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired.I have the following related setup :<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory><Directory /opt/webroot/private_form>
AuthFormProvider fileAuthUserFile "conf/passwd"
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc/login.html
</Directory><IfModule alias_module>
Alias /webdoc /opt/webroot/public/doc
ScriptAlias /webscr /opt/webroot/private_form/scr
</IfModule>(all this goes on via SSL, just in case that makes any difference)Now, when the first time I point my browser to "https://localhost/webscr/testscript" I am correctly redirected to the login page and required to provide a username and pass.The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser,in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate.The "https://localhost/webscr/testscript" it's just a simple shell script that returns all environment variables.Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ?Thanks in advance,Thomas