jaweed ali wrote:
HiI have apache with basic authentication setup with LDAP for users credential. apache allow me to login on server but once a user login to the webapplication and then even close the browser, the browser still have Authentication Session safe. And next time if you just visit same site the browser itself passes the uid/pssword to login the website. which is really a security issue so any one can access site from the PC.I also performed the senario such as1: I setup my site as www.mysite.com/site <http://www.mysite.com/site> and setup user1/passwd as uid password to access it 2: on the othere hand I setup other directory say www.mysite.com/logout <http://www.mysite.com/logout> and configured to autenticate logout/logout as userid password if i access www.mysite.com/site <http://www.mysite.com/site> by passing user1/pwsswd it successfully loging after that i access www.mysite.com/logout <http://www.mysite.com/logout> with logout/logout successfullu but the problem is that if i just access www.mysite.com/site <http://www.mysite.com/site> it just allow me to loging witout asking user id password so this way also doesnot provide a way to secure the site Is there any way that i can follow to secure my site or there is no way to secure site with apache when using basic authentication Thanks
Are you using the "AuthType Basic" Apache directive or are you authentication the user via another means (such as a script that prompts for the username and password, then save it in a cookie)?
If it is the former, then their is no standard way to allow the user to "logout". Some browsers (i.e. Firefox) have plug-ins available that will allow you to clear the HTTP authentication information, but they do not come with the browser. When you close the browser, it automatically clears this authentication information. Are you SURE that you closed ALL browser windows?
If it is the latter (which actually sounds more likely, since you say the user is going to www.mysite.com/logout), then your code is probably setting a cookie with an expiration date in the future. The logout page is not properly clearing that cookie, so when you reopen the browse, the cookie is found and the user is automatically logged in. You would need to adjust your code so that it creates a cookie that is only active for the current session.
Justin Pasher --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|