httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] How to control access using Basic Authentication identifying sessions
Date Tue, 16 Sep 2003 08:39:19 GMT
>-----Original Message-----
>From: David []
>I need to implement a way such that once the user leaves my realm and
>tries to re-enter my website, he will have to re-login again. This is
>because if the computer is a public computer. A user may enter my
>website using his user ID and password. If he doesn't close 
>that browser
>window and leaves that computer, another user will be able to enter my
>website still.

Check out

Just to be clear - HTTP is a stateless protocol. The concept of being
"logged in" is an illusion. What happens is that the first time a user
tries to access a restricted realm, the server responds with a 401
Unauthorized. The browser is clever enough to recognise this and so,
rather than reporting the 401, prompts the user for a username/password.
Once you type this in the browser requests the URI again, this time
adding the username/password (aka *"credentials") to the request. On
every subsequent request to that URI or its subdirectories, the browser
adds the same credentials. 

On the server side, the server first gets a plain request (no
credentials), responds with 401, then later gets another request with
credentials - if the credentials are OK, it serves the content. Note
that the server doesn't know or care that the requests are coming from
the same user - they are just a bunch of independent HTTP requests; if
they have valid credentials they are served, if not - 401.

When the user "leaves your realm", all he does is go to a different URL.
This means his browser sends a request to a different webserver
somewhere else on the planet. He doesn't send a message to your server
to say, "Ok thanks, I'm finished with you now. I'm going off to Google
for a bit..." In other words, you have no way of knowing what the guy
who just logged in is doing - he could've surfed off to a dozen
different sites or could be avidly reading your page.

Having said all that, there is a way to preserve state and that is to
use cookies. A cookie is a small chunk of data which the browser caches
and then returns with every subsequent request. You can put
identification on the cookie so you know if the same guy has come back.
A cookie can also "expire" so you can time-out a "connection". However,
I don't think you can mix cookies with Basic Auth - the two mechanisms
are quite separate so if you use cookies, you have to use CGI or Cocoon
or something to handle the login and cookie administration.

Cookies is a whole new can of worms, but this will get you started:

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 
>Does anyone know how I can implement the above mentioned? 
>1. Once they exit the protected realm (i.e. the protected folder in my
>htdocs), when they re-enter the site again they will be asked for a
>Many thanks for your time and attention. 
>Warmest Regards
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message