Apache NTLM Authenitcation Logout???

[djtech2k]

I am using Apache 1.3.29 on Windows 2000. I am using the ntlm_module for Basic Authentication. Everything works ok with the exception of the session variable. When I have users login to my webapp using the Apache authentication, it does not log them out correctly. If someone logs out, but does not close their browser, they can log right back in without being prompted for name/password. This is a security problem that I need to fix. Does anyone know how to clear this session variable or whatever is holding the authentication?

Any help appreciated!!!

-DJ

 

[manarth]

one suggestion is to reduce the session time to something appropriate for the site you run.

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]

 

[djtech2k]

Are you referring to the keepalive time?


-DJ

 

[manarth]

"ntlm_module for Basic Authentication"

I missed the Basic Authentication bit :|

BasicAuth credentials are cached by Internet Explorer (and most other browsers). There is AFAIK no way for the site to remove the cached logon: each time the user requests any page from that domain, the browser re-presents the cached credentials.

The solution to this is moving to ASP session managed authentication.

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]

 

[djtech2k]

I was afraid that that would be the answer. My employer does not allow IIS/asp. The software that I am using in conjunction with this also is very "touchy". I wasn't sure if there was anyway to clear that cache. My main goal is to have the user be completely logged out when they logout from the app. As it stands now, even if they logout of the app, they can come right back to the app and right back in. That's the major part of the problem for me.



-DJ

 

[manarth]

perhaps use javascript to kill the browser window?

I know it's not really the answer, but if you have control over which browser your userbase is using, it's a start.

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]

 

[djtech2k]

I had a thought as a work around. I have read that a browser will clear this authentication cache when it is closed or when it receives an error 401. I was thinking of how I could emulate that error message but use a custom error page so it does not look bad to the user. Any thoughts? Or any idea how to force that error?


-DJ

 

[manarth]

I found this javascript from Erik's Weblog

document.execCommand('ClearAuthenticationCache');

The following example illustrates the usage; but be warned: it's only working in IE6 SP1 and calling ClearAuthenticationCache will clear all available auth tokens instead of just the one which belongs to the respective site.

Not sure about the forcing 401 yet

<marc> i wonder what will happen if i press this...[ul][li]please tell us if our suggestion has helped[/li][li]need some help? faq581-3339[/li][/ul]

 

[djtech2k]

That works like a charm. THANKS!!!



-DJ