Re: nod_session SessionMaxAge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric,

I'm not sure I understand your last comment. Isn't a "Directory" a "protected space" ?
For the sake of completeness here is my full config (I hope this doesn't make my post too long): 

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /opt/webroot/public/doc
ErrorLog ${APACHE_LOG_DIR}/https_error.log
#CustomLog ${APACHE_LOG_DIR}/https_access.log combined
CustomLog ${APACHE_LOG_DIR}/https_access.log vhost_ssl_combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server/https.crt
SSLCertificateKeyFile /etc/apache2/ssl/server/https.key
#SSLCACertificatePath /etc/apache2/ssl/ca/
SSLCACertificateFile /etc/apache2/ssl/ca/users_chain.crt

<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
Options Indexes
AllowOverride None

    AuthFormProvider file
    AuthUserFile "conf/passwd"
   
Require valid-user

AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120

ErrorDocument 401 /webdoc1/login.html

SSLOptions +StdEnvVars +ExportCertData
</Directory>

<IfModule alias_module>
Alias /webdoc1 /opt/webroot/public/doc
ScriptAlias /webscr1 /opt/webroot/private_form/scr
</IfModule>

</VirtualHost>
</IfModule>

In the "/opt/webroot/public/doc" folder I have a simple static html asking for username/pass (obviously with the right field names fauser/fapass)
whereas in the  "/opt/webroot/private_form/scr" I have a simple shell script which just displays the environment.

Now if I point my browser to "https://172.17.0.3:13443/webscr1/testscript.sh" I am redirected to the login page (as expected).
Once I provide the username/pass I am redirected to the script and it correctly lists all environment variables.

The problem I have is that it seems that the browser caches the provided username/pass and in case I refresh the page after 120 secs of inactivity it just simply logs me in again.
I know it does authenticate again from the cache 'cos (as a test) I've tried to change the password in the meanwhile and the authentication has failed.

In practical terms, what this means is that if the user forgets the browser window open the next one  (even after 120 secs) would be able to use the session without re-authenticating.
So then what's the point of the "SessionMaxAge" setting ?


On Sun, Jun 5, 2022 at 12:54 PM Eric Covener <covener@xxxxxxxxx> wrote:
I'm not sure why your initial redirect works, but it looks like the
mod_auth_form config seems to be in the wrong scope.

It should be attached to the protected space, not a config section
representing the form itself.

On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <covener@xxxxxxxxx> wrote:
>
> It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user'
>
> On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.fazekas@xxxxxxxxx> wrote:
>>
>> Dear all,
>>
>> either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired.
>>
>> I have the following related setup :
>>
>>                 <Directory /opt/webroot/public>
>>                         Options None
>>                         AllowOverride None
>>                         Require all granted
>>                 </Directory>
>>
>>                 <Directory /opt/webroot/private_form>
>>                         AuthFormProvider file
>>                         AuthUserFile "conf/passwd"
>>                         AuthType Form
>>                         AuthName FormProtected
>>                         AuthFormUsername fauser
>>                         AuthFormPassword fapass
>>                         Session On
>>                         SessionCookieName fasession path=/
>>                         SessionMaxAge 120
>>
>>                         ErrorDocument 401 /webdoc/login.html
>>                 </Directory>
>>
>>                 <IfModule alias_module>
>>                         Alias /webdoc /opt/webroot/public/doc
>>                         ScriptAlias /webscr /opt/webroot/private_form/scr
>>                 </IfModule>
>>
>> (all this goes on via SSL, just in case that makes any difference)
>> Now, when the first time I point my browser to "https://localhost/webscr/testscript" I am correctly redirected to the login page and required to provide a username and pass.
>> The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser,
>> in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate.
>>
>> The "https://localhost/webscr/testscript" it's just a simple shell script that returns all environment variables.
>>
>> Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ?
>>
>> Thanks in advance,
>> Thomas
>>
>>


--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux