Re: [users@httpd] nod_session SessionMaxAge
Thx for the quick reply ... and my apologies for the incomplete setup (copy-paste typo) I do have in fact an authentication requirement via "Require valid-user" (as a point proving that, when the first time I try to access the script I am redirected to the login page) I think I know what is happening : whenever my session expires and I refresh the page the browser simply resubmits the form so it logs me in again : [image: image.png] So if I'm right, the question would be, how do I protect the site against that ? On Sun, Jun 5, 2022 at 12:19 PM Eric Covener wrote: > It looks to me like you don't actually have an authentication requirement, > so when your session expires it doesn't trigger a redirect to your login > form. Try protecting the cgi or some larger scope with e.g. 'require > valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas > wrote: > >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work >> or I made a fundamental mistake in my setup, but, in a nutshell, it seems >> that the users can access the form protected (form_auth) folder even after >> the session has expired. >> >> I have the following related setup : >> >> >> Options None >> AllowOverride None >> Require all granted >> >> >> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> >> >> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to " >> https://localhost/webscr/testscript; I am correctly redirected to the >> login page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript; it's just a simple shell >> script that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> >>
Re: [users@httpd] nod_session SessionMaxAge
I'm not sure why your initial redirect works, but it looks like the mod_auth_form config seems to be in the wrong scope. It should be attached to the protected space, not a config section representing the form itself. On Sun, Jun 5, 2022 at 6:18 AM Eric Covener wrote: > > It looks to me like you don't actually have an authentication requirement, so > when your session expires it doesn't trigger a redirect to your login form. > Try protecting the cgi or some larger scope with e.g. 'require valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas wrote: >> >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work or >> I made a fundamental mistake in my setup, but, in a nutshell, it seems that >> the users can access the form protected (form_auth) folder even after the >> session has expired. >> >> I have the following related setup : >> >> >> Options None >> AllowOverride None >> Require all granted >> >> >> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> >> >> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to >> "https://localhost/webscr/testscript; I am correctly redirected to the login >> page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript; it's just a simple shell script >> that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] nod_session SessionMaxAge
It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user' On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas wrote: > Dear all, > > either I misunderstood how the SessionMaxAge setting is supposed to work > or I made a fundamental mistake in my setup, but, in a nutshell, it seems > that the users can access the form protected (form_auth) folder even after > the session has expired. > > I have the following related setup : > > > Options None > AllowOverride None > Require all granted > > > > AuthFormProvider file > AuthUserFile "conf/passwd" > AuthType Form > AuthName FormProtected > AuthFormUsername fauser > AuthFormPassword fapass > Session On > SessionCookieName fasession path=/ > SessionMaxAge 120 > > ErrorDocument 401 /webdoc/login.html > > > > Alias /webdoc /opt/webroot/public/doc > ScriptAlias /webscr /opt/webroot/private_form/scr > > > (all this goes on via SSL, just in case that makes any difference) > Now, when the first time I point my browser to " > https://localhost/webscr/testscript; I am correctly redirected to the > login page and required to provide a username and pass. > The problem is that, after successfully logging in, even though I can see > the session cookie expiration set to 2 mins, if I wait longer than that > without closing my browser, > in case of a simple refresh of the page I'm being allowed back in without > needing to re-authenticate. > > The "https://localhost/webscr/testscript; it's just a simple shell script > that returns all environment variables. > > Now, even though I keep the browser open, if I refresh the page after the > expiration period shouldn't I be forced to the login page again ? What am I > missing ? > > Thanks in advance, > Thomas > > >
[users@httpd] nod_session SessionMaxAge
Dear all, either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired. I have the following related setup : Options None AllowOverride None Require all granted AuthFormProvider file AuthUserFile "conf/passwd" AuthType Form AuthName FormProtected AuthFormUsername fauser AuthFormPassword fapass Session On SessionCookieName fasession path=/ SessionMaxAge 120 ErrorDocument 401 /webdoc/login.html Alias /webdoc /opt/webroot/public/doc ScriptAlias /webscr /opt/webroot/private_form/scr (all this goes on via SSL, just in case that makes any difference) Now, when the first time I point my browser to " https://localhost/webscr/testscript; I am correctly redirected to the login page and required to provide a username and pass. The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser, in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate. The "https://localhost/webscr/testscript; it's just a simple shell script that returns all environment variables. Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ? Thanks in advance, Thomas
