SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Password Protected Directories - end session?

    Hi,

    I've recently migrated the hosting of a site that had heaps of password protected directories. The previous hosting had cPanel which the client had used to set up all the usernames and passwords and I've been able to recreate this using the .htaccess and .htpasswd files as the new hosting doesn't have cPanel. All seemed to be working the same however we've just discovered that if you've entered your username/password once, it won't ask for it again - even if you've closed down the browser. This seems to be a new issue - I'm pretty sure during all my testing I was always asked for the username and password.

    Is there a way to end a session using .htaccess? From everything I've read, the session should be ended (and the username/password forgotten) when the browser is closed but this isn't the case. There is no 'remember me' that has been ticked.

    Thanks,
    Jess

  2. #2
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    358
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The browser caches the login credentials, not the server. Completely close and then reopen your browser and you'll have to re-enter your username/password.

    With firefox anyway there is a menu choice where you can reset credentials.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon

  3. #3
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have completely closed and reopened the browsers. Appears to behave correctly on an XP machine, however on Windows 7 IE and Chrome still hold onto the credentials.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    j,

    As you are aware, sessions are generally saved as cookies which can be set with an expiration date. Lacking an expiration, the cookie is automatically destroyed when the browser is closed. Therefore, your session cookies are being set with an expiration date (some time into the future). If you look into your login code, you should see this and remove the expiration date from the code which sets the session variables.

    As for mod_rewrite, yes, it can access cookies using the CO flag:
    Quote Originally Posted by apache.org
    'cookie|CO=NAME:VAL:domain[:lifetime[:path]]' (set cookie)

    This sets a cookie in the client's browser. The cookie's name is specified by NAME and the value is VAL. The domain field is the domain of the cookie, such as '.apache.org', the optional lifetime is the lifetime of the cookie in minutes, and the optional path is the path of the cookie

    {snip}

    Lifetime

    A value of 0 indicates that the cookie will persist only for the current browser session. This is the default value if none is specified.

    {snip}

    [An] example [is] offered here:

    RewriteEngine On
    RewriteRule ^/index\.html - [CO=frontdoor:yes:.example.com:1440:/]

    In the example give, the rule doesn't rewrite the request. The "-" rewrite target tells mod_rewrite to pass the request through unchanged. Instead, it sets a cookie called 'frontdoor' to a value of 'yes'. The cookie is valid for any host in the .example.com domain. It will be set to expire in 1440 minutes (24 hours) and will be returned for all URIs.
    What you can do is apply this to all scripts/pages (i.e., not to js, css, jpg, etc.) and arbitrarily set all lifetime values to either 0 or to 5 minutes. This could be the solution you're looking for (assuming you know the name of the cookie/session and the domain).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Enthusiast
    Join Date
    Jun 2008
    Posts
    39
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    All that is in the htaccess file is:

    AuthType Basic
    AuthName "Newcastle City Council Username and Password required"
    require valid-user
    AuthUserFile "/home/regiona0/.htpasswds/public_html/member/login_members/hun/newcastle_city/passwd"

    Not sure where a cookie would be set? It was all set up through cPanel Password Protected Directories.

  6. #6
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,671
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    ji,

    I believe that the Apache password protection is supposed to remain until the browser closes as a default action of the browsers.

    To better protect your directory access, require $_SESSION to login. The cookie is set by the session_start() should include the expiration time (normally when you close the browser but you can also specify a session_destroy() to ensure it will close with the script).

    Are you using sessions? If you can't see the code, disable cookies then reload the page and look for an odd query string.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •