Re: [users@httpd] nod_session SessionMaxAge
Eric, I'm not sure I understand your last comment. Isn't a "Directory" a "protected space" ? For the sake of completeness here is my full config (I hope this doesn't make my post too long): ServerAdmin webmaster@localhost DocumentRoot /opt/webroot/public/doc ErrorLog ${APACHE_LOG_DIR}/https_error.log #CustomLog ${APACHE_LOG_DIR}/https_access.log combined CustomLog ${APACHE_LOG_DIR}/https_access.log vhost_ssl_combined SSLEngine on SSLCertificateFile /etc/apache2/ssl/server/https.crt SSLCertificateKeyFile /etc/apache2/ssl/server/https.key #SSLCACertificatePath /etc/apache2/ssl/ca/ SSLCACertificateFile /etc/apache2/ssl/ca/users_chain.crt Options None AllowOverride None Require all granted Options Indexes AllowOverride None AuthFormProvider file AuthUserFile "conf/passwd" Require valid-user AuthType Form AuthName FormProtected AuthFormUsername fauser AuthFormPassword fapass Session On SessionCookieName fasession path=/ SessionMaxAge 120 ErrorDocument 401 /webdoc1/login.html SSLOptions +StdEnvVars +ExportCertData Alias /webdoc1 /opt/webroot/public/doc ScriptAlias /webscr1 /opt/webroot/private_form/scr In the "/opt/webroot/public/doc" folder I have a simple static html asking for username/pass (obviously with the right field names fauser/fapass) whereas in the "/opt/webroot/private_form/scr" I have a simple shell script which just displays the environment. Now if I point my browser to "https://172.17.0.3:13443/webscr1/testscript.sh"; I am redirected to the login page (as expected). Once I provide the username/pass I am redirected to the script and it correctly lists all environment variables. The problem I have is that it seems that the browser caches the provided username/pass and in case I refresh the page after 120 secs of inactivity it just simply logs me in again. I know it does authenticate again from the cache 'cos (as a test) I've tried to change the password in the meanwhile and the authentication has failed. In practical terms, what this means is that if the user forgets the browser window open the next one (even after 120 secs) would be able to use the session without re-authenticating. So then what's the point of the "SessionMaxAge" setting ? On Sun, Jun 5, 2022 at 12:54 PM Eric Covener wrote: > I'm not sure why your initial redirect works, but it looks like the > mod_auth_form config seems to be in the wrong scope. > > It should be attached to the protected space, not a config section > representing the form itself. > > On Sun, Jun 5, 2022 at 6:18 AM Eric Covener wrote: > > > > It looks to me like you don't actually have an authentication > requirement, so when your session expires it doesn't trigger a redirect to > your login form. Try protecting the cgi or some larger scope with e.g. > 'require valid-user' > > > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas > wrote: > >> > >> Dear all, > >> > >> either I misunderstood how the SessionMaxAge setting is supposed to > work or I made a fundamental mistake in my setup, but, in a nutshell, it > seems that the users can access the form protected (form_auth) folder even > after the session has expired. > >> > >> I have the following related setup : > >> > >> > >> Options None > >> AllowOverride None > >> Require all granted > >> > >> > >> > >> AuthFormProvider file > >> AuthUserFile "conf/passwd" > >> AuthType Form > >> AuthName FormProtected > >> AuthFormUsername fauser > >> AuthFormPassword fapass > >> Session On > >> SessionCookieName fasession path=/ > >> SessionMaxAge 120 > >> > >> ErrorDocument 401 /webdoc/login.html > >> > >> > >> > >> Alias /webdoc /opt/webroot/public/doc > >> ScriptAlias /webscr > /opt/webroot/private_form/scr > >> > >> > >> (all this goes on via SSL, just in case that makes any difference) > >> Now, when the first time I point my browser to " > https://localhost/webscr/testscript"; I am correctly redirected to the > login page and required to provide a username and pass. > >> The problem is that, after successfully logging in, even though I can > see the session cookie expiration set to 2 mins, if I wait longer than that > without closing my browser, > >> in case of a simple refresh of the page I'm being allowed back in > without needing to re-authenticate. > >> > >> The "https://localhost/webscr/testscript"; it's just a simple shell > script that returns all environment variables. > >> > >> Now, even though I keep the browser open, if I refresh the page after > the expiration period shouldn't I be forced to the login page again ? What
Re: [users@httpd] nod_session SessionMaxAge
Thx for the quick reply ... and my apologies for the incomplete setup (copy-paste typo) I do have in fact an authentication requirement via "Require valid-user" (as a point proving that, when the first time I try to access the script I am redirected to the login page) I think I know what is happening : whenever my session expires and I refresh the page the browser simply resubmits the form so it logs me in again : [image: image.png] So if I'm right, the question would be, how do I protect the site against that ? On Sun, Jun 5, 2022 at 12:19 PM Eric Covener wrote: > It looks to me like you don't actually have an authentication requirement, > so when your session expires it doesn't trigger a redirect to your login > form. Try protecting the cgi or some larger scope with e.g. 'require > valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas > wrote: > >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work >> or I made a fundamental mistake in my setup, but, in a nutshell, it seems >> that the users can access the form protected (form_auth) folder even after >> the session has expired. >> >> I have the following related setup : >> >> >> Options None >> AllowOverride None >> Require all granted >> >> >> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> >> >> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to " >> https://localhost/webscr/testscript"; I am correctly redirected to the >> login page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript"; it's just a simple shell >> script that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> >>
Re: [users@httpd] nod_session SessionMaxAge
I'm not sure why your initial redirect works, but it looks like the mod_auth_form config seems to be in the wrong scope. It should be attached to the protected space, not a config section representing the form itself. On Sun, Jun 5, 2022 at 6:18 AM Eric Covener wrote: > > It looks to me like you don't actually have an authentication requirement, so > when your session expires it doesn't trigger a redirect to your login form. > Try protecting the cgi or some larger scope with e.g. 'require valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas wrote: >> >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work or >> I made a fundamental mistake in my setup, but, in a nutshell, it seems that >> the users can access the form protected (form_auth) folder even after the >> session has expired. >> >> I have the following related setup : >> >> >> Options None >> AllowOverride None >> Require all granted >> >> >> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> >> >> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to >> "https://localhost/webscr/testscript"; I am correctly redirected to the login >> page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript"; it's just a simple shell script >> that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> -- Eric Covener cove...@gmail.com - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] nod_session SessionMaxAge
It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user' On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas wrote: > Dear all, > > either I misunderstood how the SessionMaxAge setting is supposed to work > or I made a fundamental mistake in my setup, but, in a nutshell, it seems > that the users can access the form protected (form_auth) folder even after > the session has expired. > > I have the following related setup : > > > Options None > AllowOverride None > Require all granted > > > > AuthFormProvider file > AuthUserFile "conf/passwd" > AuthType Form > AuthName FormProtected > AuthFormUsername fauser > AuthFormPassword fapass > Session On > SessionCookieName fasession path=/ > SessionMaxAge 120 > > ErrorDocument 401 /webdoc/login.html > > > > Alias /webdoc /opt/webroot/public/doc > ScriptAlias /webscr /opt/webroot/private_form/scr > > > (all this goes on via SSL, just in case that makes any difference) > Now, when the first time I point my browser to " > https://localhost/webscr/testscript"; I am correctly redirected to the > login page and required to provide a username and pass. > The problem is that, after successfully logging in, even though I can see > the session cookie expiration set to 2 mins, if I wait longer than that > without closing my browser, > in case of a simple refresh of the page I'm being allowed back in without > needing to re-authenticate. > > The "https://localhost/webscr/testscript"; it's just a simple shell script > that returns all environment variables. > > Now, even though I keep the browser open, if I refresh the page after the > expiration period shouldn't I be forced to the login page again ? What am I > missing ? > > Thanks in advance, > Thomas > > >
[users@httpd] nod_session SessionMaxAge
Dear all, either I misunderstood how the SessionMaxAge setting is supposed to work or I made a fundamental mistake in my setup, but, in a nutshell, it seems that the users can access the form protected (form_auth) folder even after the session has expired. I have the following related setup : Options None AllowOverride None Require all granted AuthFormProvider file AuthUserFile "conf/passwd" AuthType Form AuthName FormProtected AuthFormUsername fauser AuthFormPassword fapass Session On SessionCookieName fasession path=/ SessionMaxAge 120 ErrorDocument 401 /webdoc/login.html Alias /webdoc /opt/webroot/public/doc ScriptAlias /webscr /opt/webroot/private_form/scr (all this goes on via SSL, just in case that makes any difference) Now, when the first time I point my browser to " https://localhost/webscr/testscript"; I am correctly redirected to the login page and required to provide a username and pass. The problem is that, after successfully logging in, even though I can see the session cookie expiration set to 2 mins, if I wait longer than that without closing my browser, in case of a simple refresh of the page I'm being allowed back in without needing to re-authenticate. The "https://localhost/webscr/testscript"; it's just a simple shell script that returns all environment variables. Now, even though I keep the browser open, if I refresh the page after the expiration period shouldn't I be forced to the login page again ? What am I missing ? Thanks in advance, Thomas