On Tue, Aug 9, 2011 at 12:13 PM, Tom Browder <tom.brow...@gmail.com> wrote: > On Tue, Aug 9, 2011 at 05:07, Tom Evans <tevans...@googlemail.com> wrote: >> On Tue, Aug 9, 2011 at 4:42 AM, Rajeev Prasad <rp.ne...@yahoo.com> wrote: > ... >>> currently i have mod auth_mysql configured and running as plaintext >>> password: > ... >>> 2. how can i get a user log out once the browser tab is closed. seems i >>> have to close the browser and reopen, then only i am presented login box. > ... > >> I can only answer 2) >> >> When you authenticate with basic auth, you do not 'log in' or 'log >> out', authentication is performed on every single request. Browsers >> cache basic auth credentials and resubmit them on every request, until >> the server responds with a 401 response (authentication required), at >> which point the browser will prompt for new credentials. > > Is there a way to do that on a regular time interval, say every 20 min? > > Best regards, > > -Tom >
Not easily. I ported a legacy application that required authentication by basic auth to an SSO solution. One of the key criteria was that authentication should work precisely as it did before, even if it was now actually authenticating against a SAML Identity Provider. Anyhow, in this scenario I was able to collect the credentials from the basic auth request, authenticate against the IdP, and store the authorization in the user's session, along with the username supplied from basic auth. When the user clicked logout, this simply removed the authorization from the user's session, so that their access is immediately removed. The user's browser at that point is still sending basic auth along with every request, but the system does not act on it due to it matching the username in the user's session. If/when the 'logged out' user clicks on the login again, we remove the stored username from the session, and return a 401 to force the browser to re-request auth credentials. If this sounds overly complex, it was. It was also only achievable through the custom handlers/auth modules we wrote for this, you wouldn't be able to get the same effect with just Apache authnz. Thankfully, a few months afterwards the project manager acquiesced and allowed us to redesign the site with form based login. Welcome to the 20th century :) Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
