httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Adding timeouts to Apache 2.0
Date Wed, 01 Sep 2004 07:11:34 GMT
Plain text please...

Further to Jim's comments about the inherent difficulties of controlling
client behaviour from the server, I would venture that the game is not
worth the candle.

If you want to implement a timeout, then presumably you are worried
about security. If you're worried about security you shouldn't really be
relying on basic auth... It is a very simple mechanism which can be
penetrated with a limited effort. If you have something genuinely
important to protect, you simply have to use a server-sided session
management application (based on mod_perl, PHP, Cocoon etc.). 

To put it another way, if my bank put my account details behind a basic
auth login, I'd close my account immediately.

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This
e-mail is of a private and personal nature. It is not related to the
exchange or business activities of the SWX Group. Le présent e-mail est
un message privé et personnel, sans rapport avec l'activité boursière du
Groupe SWX.

-----Original Message-----
From: Wallace, Brian S. []
Sent: Dienstag, 31. August 2004 20:53
Subject: [users@httpd] Adding timeouts to Apache 2.0

I am adding code to Apache 2.0 to provide a timeout for all
authenticated content.  I have everything working, but because browsers
use cached credentials, I cannot be sure that the user re-authenticated
or the browser re-authenticated.  I change the realm name and do a
HTTP_UNAUTHORIZED response to trick the browser into prompting the user.
However, if the user types the password in wrong or cancels the
authentication process, I can't be sure that the next successful
authentication came from my original HTTP_UNAUTHORIZED response or not.
Are there any tricks that can be done like telling the browser to clear
the password cache or have the browser return the realm name that it's
authenticating to?  Any other ideas or approaches to this problem would
be appreciated.
Brian S. Wallace
Oak Ridge National Laboratory
P. O. Box 2008, MS 6025
Oak Ridge, Tennessee  37831-6025
Voice (865) 576-3193
Fax   (865) 241-4000

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message