It looks to me like you don't actually have an authentication requirement, so when your session expires it doesn't trigger a redirect to your login form. Try protecting the cgi or some larger scope with e.g. 'require valid-user'
On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.faze...@gmail.com> wrote: > Dear all, > > either I misunderstood how the SessionMaxAge setting is supposed to work > or I made a fundamental mistake in my setup, but, in a nutshell, it seems > that the users can access the form protected (form_auth) folder even after > the session has expired. > > I have the following related setup : > > <Directory /opt/webroot/public> > Options None > AllowOverride None > Require all granted > </Directory> > > <Directory /opt/webroot/private_form> > AuthFormProvider file > AuthUserFile "conf/passwd" > AuthType Form > AuthName FormProtected > AuthFormUsername fauser > AuthFormPassword fapass > Session On > SessionCookieName fasession path=/ > SessionMaxAge 120 > > ErrorDocument 401 /webdoc/login.html > </Directory> > > <IfModule alias_module> > Alias /webdoc /opt/webroot/public/doc > ScriptAlias /webscr /opt/webroot/private_form/scr > </IfModule> > > (all this goes on via SSL, just in case that makes any difference) > Now, when the first time I point my browser to " > https://localhost/webscr/testscript" I am correctly redirected to the > login page and required to provide a username and pass. > The problem is that, after successfully logging in, even though I can see > the session cookie expiration set to 2 mins, if I wait longer than that > without closing my browser, > in case of a simple refresh of the page I'm being allowed back in without > needing to re-authenticate. > > The "https://localhost/webscr/testscript" it's just a simple shell script > that returns all environment variables. > > Now, even though I keep the browser open, if I refresh the page after the > expiration period shouldn't I be forced to the login page again ? What am I > missing ? > > Thanks in advance, > Thomas > > >