Hi Alan, > > "Palmer J.D.F." <[EMAIL PROTECTED]> wrote: > > Is it possible to set the timeout for the auth cookie used by the > mod_radius > > authentication module to 0; by Zero I mean no time, not infinite time? > > You mean re-authenticate for every request? That would require > source code changes.
Effectively yes, see the description of what I'm trying to do below. > > Or, is there a way that I can clear the cookie on a failed login? > > The module doesn't set the cookie on a failed login, so there > shouldn't be any problem. If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. I guess it may not be a cookie if one isn't set, but the credentials are being cached somewhere. > > > At present, if a user login fails the user has to close the browser and > open > > another in order to be able to re-enter their credentials, I want to try > to > > get round this if possible. > > I don't see why that would happen. The module was designed, and > tested to work properly in that situation. > > Can you explain more about what you're doing, how, and what browser > you're using? So far this has only been tested with IE on a patched up but otherwise std XP machine. The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway. This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed. The removal of stale connections is handled with a cron job script that compares iptables entries to the arp table on the internal interface, if there are iptables rules for an IP/MAC pair, but no arp entry for them then the iptables rules are removed. Quite crude, but it works. In summary, I have index.php that users are redirected to, this page contains a 'Log In' link to a page in a protected folder /gateway/go.php when they click the link they are challenged for credentials, if they are correct then /gateway/go.php loads setting some iptables rules, if it fails then we are currently loading a page called failed.php that explains to the user that they need to shut down the browser and open a new one and try again. An aside to this, is it possible to have a couple of text boxes on the login page where the user/pass are entered which are then sent to mod_radius, as opposed to having a pop up user/pass dialogue box? Thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html