I'm not sure why your initial redirect works, but it looks like the mod_auth_form config seems to be in the wrong scope.
It should be attached to the protected space, not a config section representing the form itself. On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <cove...@gmail.com> wrote: > > It looks to me like you don't actually have an authentication requirement, so > when your session expires it doesn't trigger a redirect to your login form. > Try protecting the cgi or some larger scope with e.g. 'require valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.faze...@gmail.com> wrote: >> >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work or >> I made a fundamental mistake in my setup, but, in a nutshell, it seems that >> the users can access the form protected (form_auth) folder even after the >> session has expired. >> >> I have the following related setup : >> >> <Directory /opt/webroot/public> >> Options None >> AllowOverride None >> Require all granted >> </Directory> >> >> <Directory /opt/webroot/private_form> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> </Directory> >> >> <IfModule alias_module> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> </IfModule> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to >> "https://localhost/webscr/testscript"; I am correctly redirected to the login >> page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript"; it's just a simple shell script >> that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> -- Eric Covener cove...@gmail.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
