WebApp Sec mailing list archives
RE: HTTP authentication and session timeout
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Mon, 25 Nov 2002 16:57:47 +0200
Only real way to do this is to use a different URL (thus maintaining state) for each session, and use that url as the realm. Then, if the realm (==url) changes, the browser will "forget" about the credentials, and prompt the user to reenter them. MS has a kluge where they do this in outlook webmail, but it is highly browser dependent. IE prompts to be reauthenticated, but Mozilla and Konqueror don't, for example. Rogan
-----Original Message----- From: UDP 53 [mailto:udp53 () hotmail com] Sent: 25 November 2002 01:13 To: webappsec () securityfocus com Subject: HTTP authentication and session timeout I am looking at a web app which uses HTTP authentication (over SSL) for user login. No mechanism is employed for session state management, and the app relies upon the default browser behaviour (of resending the encoded authentication string with each subsequent request) in order to re-identify the user through their session. No form of timeout is enforced by the server. Does anyone know if it is possible to enforce any kind of server-side timeout in this set-up? I.e., is there a way for the server to instruct the browser to destroy the cached login credentials, so that the user must reauthenticate? UDP53 =====
Current thread:
- HTTP authentication and session timeout UDP 53 (Nov 25)
- <Possible follow-ups>
- RE: HTTP authentication and session timeout Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)
- RE: HTTP authentication and session timeout Jason Coombs (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 26)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)