Eric,
I'm not sure I understand your last comment. Isn't a "Directory" a
"protected space" ?
For the sake of completeness here is my full config (I hope this doesn't
make my post too long):
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /opt/webroot/public/doc
ErrorLog ${APACHE_LOG_DIR}/https_error.log
#CustomLog ${APACHE_LOG_DIR}/https_access.log combined
CustomLog ${APACHE_LOG_DIR}/https_access.log vhost_ssl_combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server/https.crt
SSLCertificateKeyFile /etc/apache2/ssl/server/https.key
#SSLCACertificatePath /etc/apache2/ssl/ca/
SSLCACertificateFile /etc/apache2/ssl/ca/users_chain.crt
<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
Options Indexes
AllowOverride None
AuthFormProvider file
AuthUserFile "conf/passwd"
Require valid-user
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc1/login.html
SSLOptions +StdEnvVars +ExportCertData
</Directory>
<IfModule alias_module>
Alias /webdoc1 /opt/webroot/public/doc
ScriptAlias /webscr1 /opt/webroot/private_form/scr
</IfModule>
</VirtualHost>
</IfModule>
In the "/opt/webroot/public/doc" folder I have a simple static html asking
for username/pass (obviously with the right field names fauser/fapass)
whereas in the "/opt/webroot/private_form/scr" I have a simple shell
script which just displays the environment.
Now if I point my browser to "https://172.17.0.3:13443/webscr1/testscript.sh";
I am redirected to the login page (as expected).
Once I provide the username/pass I am redirected to the script and it
correctly lists all environment variables.
The problem I have is that it seems that the browser caches the provided
username/pass and in case I refresh the page after 120 secs of inactivity
it just simply logs me in again.
I know it does authenticate again from the cache 'cos (as a test) I've
tried to change the password in the meanwhile and the authentication has
failed.
In practical terms, what this means is that if the user forgets the
browser window open the next one (even after 120 secs) would be able to
use the session without re-authenticating.
So then what's the point of the "SessionMaxAge" setting ?
On Sun, Jun 5, 2022 at 12:54 PM Eric Covener <cove...@gmail.com> wrote:
> I'm not sure why your initial redirect works, but it looks like the
> mod_auth_form config seems to be in the wrong scope.
>
> It should be attached to the protected space, not a config section
> representing the form itself.
>
> On Sun, Jun 5, 2022 at 6:18 AM Eric Covener <cove...@gmail.com> wrote:
> >
> > It looks to me like you don't actually have an authentication
> requirement, so when your session expires it doesn't trigger a redirect to
> your login form. Try protecting the cgi or some larger scope with e.g.
> 'require valid-user'
> >
> > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.faze...@gmail.com>
> wrote:
> >>
> >> Dear all,
> >>
> >> either I misunderstood how the SessionMaxAge setting is supposed to
> work or I made a fundamental mistake in my setup, but, in a nutshell, it
> seems that the users can access the form protected (form_auth) folder even
> after the session has expired.
> >>
> >> I have the following related setup :
> >>
> >> <Directory /opt/webroot/public>
> >> Options None
> >> AllowOverride None
> >> Require all granted
> >> </Directory>
> >>
> >> <Directory /opt/webroot/private_form>
> >> AuthFormProvider file
> >> AuthUserFile "conf/passwd"
> >> AuthType Form
> >> AuthName FormProtected
> >> AuthFormUsername fauser
> >> AuthFormPassword fapass
> >> Session On
> >> SessionCookieName fasession path=/
> >> SessionMaxAge 120
> >>
> >> ErrorDocument 401 /webdoc/login.html
> >> </Directory>
> >>
> >> <IfModule alias_module>
> >> Alias /webdoc /opt/webroot/public/doc
> >> ScriptAlias /webscr
> /opt/webroot/private_form/scr
> >> </IfModule>
> >>
> >> (all this goes on via SSL, just in case that makes any difference)
> >> Now, when the first time I point my browser to "
> https://localhost/webscr/testscript"; I am correctly redirected to the
> login page and required to provide a username and pass.
> >> The problem is that, after successfully logging in, even though I can
> see the session cookie expiration set to 2 mins, if I wait longer than that
> without closing my browser,
> >> in case of a simple refresh of the page I'm being allowed back in
> without needing to re-authenticate.
> >>
> >> The "https://localhost/webscr/testscript"; it's just a simple shell
> script that returns all environment variables.
> >>
> >> Now, even though I keep the browser open, if I refresh the page after
> the expiration period shouldn't I be forced to the login page again ? What
> am I missing ?
> >>
> >> Thanks in advance,
> >> Thomas
> >>
> >>
>
>
> --
> Eric Covener
> cove...@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
