Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-14-2007, 12:11 PM
|
#1
|
Member
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43
Rep:
|
LogOff from Secure Web Interface
Hi all !
Am looking for a way to secure my critical web interfaces where the primary access is login password implemented by htaccess.
The login goes smoothly but when the web browser is closed when a user is still logged in,the login prompt is not displayed during the next login - the user is logged in directly.
I wanted a way on how I would control the interface by having web session timeout after periods of inactivity then there must be an absolute login prompt whenever a user tries to access the secured pages at any given time.
How do I do this?Do I need to use logout redirections and if so,how best?
Also note that am only using htaccess for security and the pages are being accessed thro' port 80 and not thought of putting them on https though am not sure this would sort anything.
Am running on Fedora Core 5 with apache as the webserver.
Please advice me on the best way forwad.
Last edited by dablew; 08-14-2007 at 12:13 PM.
|
|
|
08-14-2007, 02:35 PM
|
#2
|
Member
Registered: Aug 2007
Distribution: RHEL, Fedora, Ubuntu
Posts: 64
Rep:
|
Per the Apache docs on Basic Authentication:
Quote:
How do I log out?
Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.
However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.
Consequently, the answer to this question is, you can't. Sorry.
|
Essentially, its up to the browser. If the browser is fully quit, that usually requires the person to re-authenticate, as the browser session has expired. However, if they have other browser windows/tabs open and merely close your site and then re-open it, the browser will probably maintain the login info and re-authenticate for the user. This is also true for say Mac OS X, where all browser windows are closed, but the browser application is technically still running.
Your best bet is to build a login system to your application and use session management in your code and not rely on Apache's Basic Authentication system. As you can see from the quote above, the functionality you're looking for isn't really built into it.
|
|
|
08-17-2007, 01:20 AM
|
#3
|
Member
Registered: Oct 2006
Distribution: CentOS | Fedora | Mint | Ubuntu
Posts: 43
Original Poster
Rep:
|
Thanks thebouv for your very informative info.
Av been looking around for ways to integrate login scripts to my site bt not very helpful coz I still need to have a logout link when am logged in the site.
Am not very good at scripting and any links on howtos willl really be valied.
Pls assist.
|
|
|
All times are GMT -5. The time now is 08:31 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|