Dear all,
either I misunderstood how the SessionMaxAge setting is supposed to work or
I made a fundamental mistake in my setup, but, in a nutshell, it seems that
the users can access the form protected (form_auth) folder even after the
session has expired.
I have the following related setup :
<Directory /opt/webroot/public>
Options None
AllowOverride None
Require all granted
</Directory>
<Directory /opt/webroot/private_form>
AuthFormProvider file
AuthUserFile "conf/passwd"
AuthType Form
AuthName FormProtected
AuthFormUsername fauser
AuthFormPassword fapass
Session On
SessionCookieName fasession path=/
SessionMaxAge 120
ErrorDocument 401 /webdoc/login.html
</Directory>
<IfModule alias_module>
Alias /webdoc /opt/webroot/public/doc
ScriptAlias /webscr /opt/webroot/private_form/scr
</IfModule>
(all this goes on via SSL, just in case that makes any difference)
Now, when the first time I point my browser to "
https://localhost/webscr/testscript"; I am correctly redirected to the login
page and required to provide a username and pass.
The problem is that, after successfully logging in, even though I can see
the session cookie expiration set to 2 mins, if I wait longer than that
without closing my browser,
in case of a simple refresh of the page I'm being allowed back in without
needing to re-authenticate.
The "https://localhost/webscr/testscript"; it's just a simple shell script
that returns all environment variables.
Now, even though I keep the browser open, if I refresh the page after the
expiration period shouldn't I be forced to the login page again ? What am I
missing ?
Thanks in advance,
Thomas
