LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-14-2007, 01:11 PM   #1
dablew
Member
 
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43

Rep: Reputation: 15
LogOff from Secure Web Interface


Hi all !
Am looking for a way to secure my critical web interfaces where the primary access is login password implemented by htaccess.
The login goes smoothly but when the web browser is closed when a user is still logged in,the login prompt is not displayed during the next login - the user is logged in directly.
I wanted a way on how I would control the interface by having web session timeout after periods of inactivity then there must be an absolute login prompt whenever a user tries to access the secured pages at any given time.
How do I do this?Do I need to use logout redirections and if so,how best?
Also note that am only using htaccess for security and the pages are being accessed thro' port 80 and not thought of putting them on https though am not sure this would sort anything.
Am running on Fedora Core 5 with apache as the webserver.
Please advice me on the best way forwad.

Last edited by dablew; 08-14-2007 at 01:13 PM.
 
Old 08-14-2007, 03:35 PM   #2
thebouv
Member
 
Registered: Aug 2007
Distribution: RHEL, Fedora, Ubuntu
Posts: 64

Rep: Reputation: 16
Per the Apache docs on Basic Authentication:

Quote:
How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.
Essentially, its up to the browser. If the browser is fully quit, that usually requires the person to re-authenticate, as the browser session has expired. However, if they have other browser windows/tabs open and merely close your site and then re-open it, the browser will probably maintain the login info and re-authenticate for the user. This is also true for say Mac OS X, where all browser windows are closed, but the browser application is technically still running.

Your best bet is to build a login system to your application and use session management in your code and not rely on Apache's Basic Authentication system. As you can see from the quote above, the functionality you're looking for isn't really built into it.
 
Old 08-17-2007, 02:20 AM   #3
dablew
Member
 
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43

Original Poster
Rep: Reputation: 15
Thanks thebouv for your very informative info.

Av been looking around for ways to integrate login scripts to my site bt not very helpful coz I still need to have a logout link when am logged in the site.

Am not very good at scripting and any links on howtos willl really be valied.

Pls assist.
 
  


Reply

Tags
logout


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to secure my web server lqchangba Linux - Security 1 04-22-2007 11:34 AM
Secure Web Hosting Tux-O-Matic Linux - General 11 11-09-2006 12:05 AM
How to secure the management interface imanassypov *BSD 1 02-27-2006 03:15 PM
Secure a web page sujte Linux - Security 2 06-15-2004 05:25 AM
Secure web server sanjibgupta Linux - Newbie 1 08-27-2003 08:05 AM


All times are GMT -5. The time now is 09:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration