WebApp Sec mailing list archives
HTTP authentication and session timeout
From: "UDP 53" <udp53 () hotmail com>
Date: Mon, 25 Nov 2002 11:13:02 -0000
I am looking at a web app which uses HTTP authentication (over SSL) for user login. No mechanism is employed for session state management, and the app relies upon the default browser behaviour (of resending the encoded authentication string with each subsequent request) in order to re-identify the user through their session. No form of timeout is enforced by the server. Does anyone know if it is possible to enforce any kind of server-side timeout in this set-up? I.e., is there a way for the server to instruct the browser to destroy the cached login credentials, so that the user must reauthenticate? UDP53 =====
Current thread:
- HTTP authentication and session timeout UDP 53 (Nov 25)
- <Possible follow-ups>
- RE: HTTP authentication and session timeout Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)
- RE: HTTP authentication and session timeout Jason Coombs (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 26)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)