htaccess session timeout

Hi all

Would anyone know if its possible to use htaccess with a session timeout.

Basically I would like it so that if a user walks away from there work station, on returning they have to re login.

If anyone has any tips, advice or URL links, I would be most grateful.

Kind Regards
Brent Clark

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: htaccess session timeout

> -----Original Message-----
> From: Brent Clark [mailto:bclark@eccotours.dyndns.org]
> Sent: Mittwoch, 23. November 2005 07:27
> To: Apache
> Subject: [users@httpd] htaccess session timeout
>=20
>=20
> Hi all
>=20
> Would anyone know if its possible to use htaccess with a=20
> session timeout.
>=20

Just to be clear, "htaccess" is a mechanism that allows certain =
directives to be applied to a particular directory just be putting a =
small file in that directory. Because this is most often used to provide =
Basic Authentication (password protection) people sometimes think they =
are equivalent. They're not. You can have a .htaccess file that contains =
non-Auth directives and you can do Basic Auth without using a .htaccess =
file.

> Basically I would like it so that if a user walks away from=20
> there work station, on returning they have to re login.

Regarding your question; This isn't possible with Basic Auth; the =
browser caches the password and username (the credentials) and then =
resends them with every subsequent request to the same realm. So you =
will "stay logged in" indefinately.

Having said that, mod_auth_digest =
(http://httpd.apache.org/docs/2.0/mod/mod_auth_digest.html) has a =
AuthDigestNonceLifetime Directive which allows you to timestamp requests =
and so expire sessions. Not that mod_auth_digest is a bit experimental =
and not universally supported by browsers - depending on your =
application that might or might not matter...

The other way to go is to forget about doing the authentication in the =
HTTP layer and to use cookies. The server can put timestamps on the =
cookies so that you can keep track of when the client last accessed the =
realm. Then you can expire the request after a given time. Cookie =
handling requires a server-sided mechanism (PHP, CGI, ASP, Cocoon etc.) =
and is non-trivial.

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.=20

>=20
> If anyone has any tips, advice or URL links, I would be most grateful.
>=20
> Kind Regards
> Brent Clark
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat =
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. =
This e-mail is of a private and personal nature. It is not related to =
the exchange or business activities of the SWX Group. Le pr=E9sent =
e-mail est un message priv=E9 et personnel, sans rapport avec =
l'activit=E9 boursi=E8re du Groupe SWX.
=20
=20
This message is for the named person's use only. It may contain =
confidential, proprietary or legally privileged information. No =
confidentiality or privilege is waived or lost by any mistransmission. =
If you receive this message in error, please notify the sender urgently =
and then immediately delete the message and any copies of it from your =
system. Please also immediately destroy any hardcopies of the message. =
You must not, directly or indirectly, use, disclose, distribute, print, =
or copy any part of this message if you are not the intended recipient. =
The sender's company reserves the right to monitor all e-mail =
communications through their networks. Any views expressed in this =
message are those of the individual sender, except where the message =
states otherwise and the sender is authorised to state them to be the =
views of the sender's company.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org