Security Hole in mod-ssl

[Doug Poulin]

I've seen this question asked many times over the past several weeks and have never had anyone come up with a response that works.  I think this is a serious security problem with browsers.   Once you authenticate with a secure server, the browser remembers who you are so that it can include that information for future requests to that server.  However I can't tell the browser to forget who I am without closing the browser.  That means that if I authenticate to a secure site, then go off to other sites and never close my browser anyone coming along afterwards can go back to that secure site with my full access.   I would like to be able to have multiple users share a PC and log on/off without having to restart the browser each time.   This sounds like a straight forward problem but it is not.  Part of the problem involves being able to determine whether the user is logging on for the first time or returning from a previous session.  Without knowing that, the only solution appears to be in forcing the user to log in twice.  This happens because our log in script automatically rejects (401 Unauthorized) the first log in attempt.  This ensures that re-visits are forced to log in properly, but it also means that the first time in the server authenticates, then our log in script rejects it, then they get logged in properly.   Here are things that I have already tried.   1)  cookies:  They don't work because the server authentication always happens before the script sees the cookies. 2)  redirects: I thought I could redirect from a non secure page to a secure page and force the server to authenticate.  The problem was that the browser never provided the remote-user name to the server for the non secure page but as soon as it got redirected it sent along the remote-user and bypassed the security again. 3) server files: same basic problem as cookies.  You don't have enough information at the time you need it.   Does anyone have any concrete code samples or ideas that actually work?   While I'm at it does anyone know what the options in the .htaccess file are?  I am particularly interested in the "require" directive.  I have tried the modssl reference pages but that doesn't seem to be covered.  I know valid-user is one of them but what other ones are there?   Doug Poulin