since a week i received a messages from cert, where this problem is
because the browser (not the mod_ssl), please check cert about this if
i'm wrong just tell me.
i will look for the messages, ok.
------------------------------------------------------------------------
Ramon Alvarez Rayo
Contacto tecnico
e-mail: [EMAIL PROTECTED]
-----------------------------------------------------------------------
On Fri, 19 May 2000, Doug Poulin wrote:
> I've seen this question asked many times over the past several weeks and have never
>had anyone come up with a response that works. I think this is a serious security
>problem with browsers.
>
> Once you authenticate with a secure server, the browser remembers who you are so
>that it can include that information for future requests to that server. However I
>can't tell the browser to forget who I am without closing the browser. That means
>that if I authenticate to a secure site, then go off to other sites and never close
>my browser anyone coming along afterwards can go back to that secure site with my
>full access.
>
> I would like to be able to have multiple users share a PC and log on/off without
>having to restart the browser each time.
>
> This sounds like a straight forward problem but it is not. Part of the problem
>involves being able to determine whether the user is logging on for the first time or
>returning from a previous session. Without knowing that, the only solution appears
>to be in forcing the user to log in twice. This happens because our log in script
>automatically rejects (401 Unauthorized) the first log in attempt. This ensures that
>re-visits are forced to log in properly, but it also means that the first time in the
>server authenticates, then our log in script rejects it, then they get logged in
>properly.
>
> Here are things that I have already tried.
>
> 1) cookies: They don't work because the server authentication always happens
>before the script sees the cookies.
> 2) redirects: I thought I could redirect from a non secure page to a secure page
>and force the server to authenticate. The problem was that the browser never
>provided the remote-user name to the server for the non secure page but as soon as it
> got redirected it sent along the remote-user and bypassed the security again.
> 3) server files: same basic problem as cookies. You don't have enough information
>at the time you need it.
>
> Does anyone have any concrete code samples or ideas that actually work?
>
> While I'm at it does anyone know what the options in the .htaccess file are? I am
>particularly interested in the "require" directive. I have tried the modssl
>reference pages but that doesn't seem to be covered. I know valid-user is one of
>them but what other ones are there?
>
> Doug Poulin
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
