Thx for the quick reply ... and my apologies for the incomplete setup (copy-paste typo) I do have in fact an authentication requirement via "Require valid-user" (as a point proving that, when the first time I try to access the script I am redirected to the login page)
I think I know what is happening : whenever my session expires and I refresh the page the browser simply resubmits the form so it logs me in again : [image: image.png] So if I'm right, the question would be, how do I protect the site against that ? On Sun, Jun 5, 2022 at 12:19 PM Eric Covener <cove...@gmail.com> wrote: > It looks to me like you don't actually have an authentication requirement, > so when your session expires it doesn't trigger a redirect to your login > form. Try protecting the cgi or some larger scope with e.g. 'require > valid-user' > > On Sun, Jun 5, 2022, 6:00 AM Thomas Fazekas <thomas.faze...@gmail.com> > wrote: > >> Dear all, >> >> either I misunderstood how the SessionMaxAge setting is supposed to work >> or I made a fundamental mistake in my setup, but, in a nutshell, it seems >> that the users can access the form protected (form_auth) folder even after >> the session has expired. >> >> I have the following related setup : >> >> <Directory /opt/webroot/public> >> Options None >> AllowOverride None >> Require all granted >> </Directory> >> >> <Directory /opt/webroot/private_form> >> AuthFormProvider file >> AuthUserFile "conf/passwd" >> AuthType Form >> AuthName FormProtected >> AuthFormUsername fauser >> AuthFormPassword fapass >> Session On >> SessionCookieName fasession path=/ >> SessionMaxAge 120 >> >> ErrorDocument 401 /webdoc/login.html >> </Directory> >> >> <IfModule alias_module> >> Alias /webdoc /opt/webroot/public/doc >> ScriptAlias /webscr /opt/webroot/private_form/scr >> </IfModule> >> >> (all this goes on via SSL, just in case that makes any difference) >> Now, when the first time I point my browser to " >> https://localhost/webscr/testscript" I am correctly redirected to the >> login page and required to provide a username and pass. >> The problem is that, after successfully logging in, even though I can see >> the session cookie expiration set to 2 mins, if I wait longer than that >> without closing my browser, >> in case of a simple refresh of the page I'm being allowed back in without >> needing to re-authenticate. >> >> The "https://localhost/webscr/testscript" it's just a simple shell >> script that returns all environment variables. >> >> Now, even though I keep the browser open, if I refresh the page after the >> expiration period shouldn't I be forced to the login page again ? What am I >> missing ? >> >> Thanks in advance, >> Thomas >> >> >>