In response to Veronique's original question - there's no way that I can
think of to make a user re-authenticate on your site after they "leave".
HTTP is by nature a request/response protocol so you how would you know
they "left" your site? The only control you have is with time, which
should be suitable for most purposes. You could muck around by creating
custom browser windows which don't have forward/back controls or menus
thereby actually *preventing* the user from leaving your site inside a
given window if it is *really* necessary, and trapping attempts to close
the window, e.g. like citibank's online banking. But if you don't disable
navigation controls and you have any links within your site to external
sites, your server cannot possibly know that the user has left.
As far as managing sessions with cookies, it's much better not to use the
actual cookie or a cookie expiration to try to manage your session timeout.
Rather, store a session ID inside a cookie which never expires, and keep
all the relevant info on your server in a database. So when a user hits
your site, you look for an existing cookie and generate a new one if it
doesn't exist, with a unique session ID. You then look in your database of
logins for that session ID to find out when the last time they hit the site
was and decide whether to make them log in again or not. Everything is
handled by your database on server side, the cookie's only purpose is to
identify the session the user belongs to.
If the site handles sensitive information, a session timeout of 10 minutes
ought to be fairly secure but long enough that you won't require users to
re-log-in while using your web site. (Every time they pull up a new page
you reset the counter, so you've always got 10 minutes after each "click"
before it times out). The "citibank" solution above is the only way I can
think of to ensure that you can't re-enter after leaving the site, though.
Jamie
At 10:43 AM 5/19/00 -0700, Doug Poulin wrote:
>I have been grappling with this problem for several days now, and I cannot
>seem to resolve it.
>The problem is a lot more complicated than it seems. The problem with
>cookies (or whatever method you choose) you run into the problem that when
>they first log on to the site you will not get a cookie and you will force
>them to authenticate a second time which for an end user would be very
>annoying. There doesn't seem to be any way to detect the difference between
>a valid log in and a browser faking a real log in on your behalf. I have
>tried cookies, redirects, temporary files and am quickly running out of
>ideas. The ideal way would be someway to tell the browser to forget who he
>is when the user logs off (through a cgi script or javascript). If anyone
>has any brilliant ideas let me know.
>
>Doug Poulin
>----- Original Message -----
>From: Costantino Imbrauglio <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Monday, May 08, 2000 4:33 AM
>Subject: Re: Password access to a site
>
>
> > You might consider using cookies with a very short expiration time. In
>such
> > case your html pages should contain a small piece of code (you might use
> > both php or perl or whatever you like) that would check the presence of
>the
> > cookie into the user request. If no cookie is present then authentication
>is
> > required. It's fairly easy and it works.
> >
> > ----- Original Message -----
> > From: "Veronique Kraft" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, May 08, 2000 8:11 AM
> > Subject: Password access to a site
> >
> >
> > > Hi all,
> > >
> > > How can I require users to re-enter their passwords when they re-visit
>my
> > > site with the same browser window?
> > > ie. The first time they visit, they enter a password, then they visit
> > > another site, then decide they want to go back to my site so they use
>the
> > > back button on their broswer.
> > > I currently have .htaccess working, but when I test it by leaving my
>site
> > > then comming back to it, I'm not prompted for a password.
> > >
> > >
> > > Veronique Kraft
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
