-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Roger,
On 8/24/16 9:53 AM, Roger Paanini wrote: > Chris, I am testing it by logging into the website using basic > authentication and then waiting for the time out duration and try > to access the page again. I am expecting to be challenged for > credentials again when I tried to access the page after the > timeout. But I am never challenged after the timeout - ever after > several hours beyond the timeout value. You are misunderstanding the nature of HTTP BASIC authentication. If the server sends a 403 response, your browser will show an authentication dialog (username/password) and then provide those credentials to the server with a follow-up request for the same resource. For subsequent requests, those same credentials will be sent with no end-date. HTTP BASIC has no provision for "session expiration" as a part of the spec (that's why it's called "BASIC"). If you want to *really* expire the session and request a new authentication challenge, you'll need to do it yourself. For example: when authentication succeeds, place a token in the session that says "last authenticated request". But before you do that, check the session to see when the last authenticated request actually was. If it was more than e.g. 60 seconds ago, *you* need to respond with an HTTP 403 response. httpd is not going to do this for you. > But I see the following messages in my log file... I suspect my > session modules are not configured correctly? I'm sure your session modules are configured correctly. You just misunderstand what the protocol (and httpd) can do for you, and what you will have to do yourself. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXvb1IAAoJEBzwKT+lPKRYu9wQAMCaHmD1G4xNoUgClAJffnlf kbhRF1hpjCmmGuOHqa19hbbttj0JuadNsFugAuRc0eSpJ0DUe/zlGZuX/YqitZLU uiVCQVtXQ8nScmC/9WQjkSCB6NHJRXtUINItReu87NEGaWNUDeglyIHCerWK/zw/ yIUykBTT6qsxGL/i14W7ijL8GM9oN37jdlK+Bpakp8jMYChkbduYJVL3X70DxgyD +oA7hzkq7Gjrmoj8BwJY1OhPnTELj22YTe6mr3KqephTmMN6LC9PWRzeLFgIN0ad DBFnFKoMJxSAobvpoG40xeFIGWZAnNVmzHDJbHGllvgeD6X6i3ojH29U9kMSFutL TOy8tBVCJQDe0e2LxXUbW5Imc1j4bXfMIkqBB3EVJB8oU8Fi9yygvcKCpy6WZkFp n/q6uh3nu9jqHGQfyFviRmS0iEGMxoPSbKnnEzITOR7LPRUYaitiNPPbjie37ySi kl/w4/1EzWzDd2HQf1wXd0b/UD+ach5S0KjgDVoTiESuc35EJCe2+bPYavoVtOZu egYhEBIsc0ffcs3cz8cY3/66djGsKVtsJNHuXOnxAw/WTs2gFKSwOr3C0ARp4MBY Zc1WPx7UqnYVDrG7bLDxvPKJsK/clD9Av++192dgB6M+VOmYepWFFaUYkfvScnsP 0S/3bmTlc6HKfTcldyNK =ZqEH -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
