jaweed ali wrote:
Hi
I have apache with basic authentication setup with LDAP for users
credential. apache allow me to login on server but once a user login
to the webapplication and then even close the browser, the browser
still have Authentication Session safe. And next time if you just
visit same site the browser itself passes the uid/pssword to login the
website. which is really a security issue so any one can access site
from the PC.
I also performed the senario such as
1: I setup my site as www.mysite.com/site
<http://www.mysite.com/site> and setup user1/passwd as uid password
to access it
2: on the othere hand I setup other directory say
www.mysite.com/logout <http://www.mysite.com/logout> and configured to
autenticate logout/logout as userid password
if i access www.mysite.com/site <http://www.mysite.com/site> by
passing user1/pwsswd it successfully loging
after that i access www.mysite.com/logout
<http://www.mysite.com/logout> with logout/logout successfullu but
the problem is that
if i just access www.mysite.com/site <http://www.mysite.com/site> it
just allow me to loging witout asking user id password
so this way also doesnot provide a way to secure the site
Is there any way that i can follow to secure my site or there is no
way to secure site with apache when using basic authentication
Thanks
Are you using the "AuthType Basic" Apache directive or are you
authentication the user via another means (such as a script that prompts
for the username and password, then save it in a cookie)?
If it is the former, then their is no standard way to allow the user to
"logout". Some browsers (i.e. Firefox) have plug-ins available that will
allow you to clear the HTTP authentication information, but they do not
come with the browser. When you close the browser, it automatically
clears this authentication information. Are you SURE that you closed ALL
browser windows?
If it is the latter (which actually sounds more likely, since you say
the user is going to www.mysite.com/logout), then your code is probably
setting a cookie with an expiration date in the future. The logout page
is not properly clearing that cookie, so when you reopen the browse, the
cookie is found and the user is automatically logged in. You would need
to adjust your code so that it creates a cookie that is only active for
the current session.
Justin Pasher
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
