The "prebuilt" login window that you describe is Apache's response to any
authentication requests. Apache supports several back-end databases for
authentication (eg dbm files), but it will always give this window.
There is of course nothing to stop you using a form to submit a username and
password to another system once an SSL page is established. However, you'll
need some method of processing the data from the form (perl, php etc) and
passing it to whatever authentication you write. You'll want to be careful
that this data is passed (relatively) securely, as it would be if you used
Apache authentication and the username/password database resided on the same
machine.
You can of course set your backend system to time-out after a certain length
of time since logging in (or activity). Unlike the Apache Auth, your browser
wouldn't necessarily resend the data (although IE 5.5 onwards does offer to
do that automatically).
It is a lot of work however, and it may be easier to educate users to close
their browser when finished.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
> -----Original Message-----
> From: D. Scott Davidson [mailto:[EMAIL PROTECTED]]
> Sent: 09 April 2001 14:34
> To: [EMAIL PROTECTED]
> Subject: Re: Forcing Session Expiration in 'apache/mod_ssl'
> Implementations
>
>
>
> I am really interested in a response to the below question also.
> But, on a related note I have a question about controlling the login
> to secured web pages using apache-mod_ssl. I would like to not use
> that prebuilt little login window that pops up automatically when
> setting the .htaccess permission, but instead
> use a web page on our site for that initial login. Does anyone know
> how to accomplish this or has anyone done something simular ?
>
> Thanks in advance
>
> [EMAIL PROTECTED] wrote:
>
> > We are hosting several web sites to Redhat Linux/x86
> platforms using the
> > apache/mod-ssl secure web server implementation. Our
> problem is this, we
> > would like to implement an explicit "logout" feature for
> some of our secure
> > virtual hosts. This feature would simply be implemented as
> a logout button
> > embedded in an HTML page that would kick-off a server-side
> cgi script
> > (written in either Perl or C). The sole function of this
> logout script
> > would be to purge all SSL session data from the server's
> cache. Thus, a
> > complete renegotiation of the SSL session would be forced,
> even if a client
> > browsed back to the site before the cache timeout period
> expires. Is this
> > possible and, if so, could you point us to the necessary
> documentation?
> >
> > Thanks!
> > Shelley
> >
> ______________________________________________________________________
> > Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
