Login page that supports "Logout" and times out.

On Fri, 4 Nov 2005, Dave wrote:

> The standard authentication in Apache is pretty insecure

That's pretty unfair. Web authentication does what it says on the
tin: defines web credentials for access to access-controlled pages.

The underlying protocols quite deliberately did not implement
statefulness, and therefore in themselves do not define any kind of
"session". So it should come as no surprise that the concept of
logging-in and logging-out (which themselves imply some kind of
persistent session between these events) is not inherently present,
and has to be implemented "on top of" the existing protocols.

> is that it relies on the client to "forget" the username and
> password. So if you log into a site with basic authentication and
> keep the browser open, you have access forever.

For as long as those credentials are valid at the server, yes.

> Closing the browser usually ceases acces this, but as far as I can
> tell this is not forced in any way.

Client agents are certainly able to remember one or more sets of
credentials for a resource, and to try them again when challenged by
the server, yes.

Evidently this mechanism isn't the one that you're looking for, which
is fair enough if you've considered your requirements carefully;
although you should be aware that maintaining state, and making access
to resources conditional on that state, has its own implications, such
as the effect on cacheability, which can make access to pages
(particularly those which have to be re-created every time by
server-side processing) quite sluggish (I was in just such a situation
the other day, where even going Back to the previous page was taking
over 10 seconds while their server re-generated the uncacheable page
from scratch, which made things mighty tedious - I was glad to leave
a.s.a.p and buy the product from a competing vendor, whose web site
was much more responsive).

best regards
 >> Stay informed about: Login page that supports "Logout" and times out. 

Dave wrote:
> The standard authentication in Apache is pretty insecure is that it
> relies on the client to "forget" the username and password. So if you
> log into a site with basic authentication and keep the browser open, you
> have access forever. Closing the browser usually ceases acces this, but
> as far as I can tell this is not forced in any way.
>
> Are there any open-source implementations that allow a more secure login
> to a server that supports (ideally)

To add to Mark and Alan's replies ...

(a) "The standard authentication in Apache" is as defined by HTTP.
No more, no less.

(b) You can easily timeout credentials on the server.
For example, authenticate against an SQL database with a query like
"select password from authn where user = %s and expires >= 'now'"
mod_authn_dbd or older third-party modules will do that.

(c) You can delegate responsibility, e.g. to ldap or radius.

(d) If you work with cookies, you can avoid clients hitting you with
expired credentials (unless they're trying to hack you

As for logout, you're at the mercy of the protocol used, not the server.
Choose one that unambiguously supports logout.

FWIW, I've just written a module to support anonymous scheduled access,
as a simple example for the book. It's 168 lines in total, including
copious comments, and was written in a spare couple of hours when a
thunderstorm interrupted my normal work and forced me to go offline
and onto the laptop.

--
Nick Kew
 >> Stay informed about: Login page that supports "Logout" and times out. 

Message-ID: <dkffod$d1k$1@news.freedom2surf.net> from Richard Watson
contained the following:

>Logging out is just a page that deletes the session. Timeouts can be
>done in a number of ways, probably most simply by using a cookie with a
>limited lifetime.

Or by making the session variable value the timeout time and resetting
it every time it is checked for.

if(isset($_SESSION['logged_in']) *&&$_SESSION['logged_in']< $timeout){
//set new value of $_SESSION['logged_in']
}
else{
//redirect to login page
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
 >> Stay informed about: Login page that supports "Logout" and times out. 

Message-ID: <bnnmm1loopo7ltn4lua8nkslgt7uorrl64 RemoveThis @4ax.com> from Geoff
Berrow contained the following:

>if(isset($_SESSION['logged_in']) *&&$_SESSION['logged_in']< $timeout){
>//set new value of $_SESSION['logged_in']
>}
>else{
>//redirect to login page
>}


Oops...

if(isset($_SESSION['logged_in']) && $_SESSION['logged_in']< $timeout){
//set new value of $_SESSION['logged_in']
}
else{
//redirect to login page
}
--
Geoff Berrow 0110001001101100010000000110
001101101011011001000110111101100111001011
100110001101101111001011100111010101101011
 >> Stay informed about: Login page that supports "Logout" and times out.