Howdy,
We track state. I have a variety of users with different time outs for
timing out their session. Unfortuantely, the problem lies with the browser
itsself and not the server side =(
You can track state thru cookies, client variables if you're using Cold
Fusion ASp or php3, or embess state variables in the web page its self. We
use Cold Fusion http://www.allaire.com
Another thing to consider is winnt workstations with a PDC
(Linux,NT,Novell)
ttyl,
-Rob
"Doug Poulin"
<doug_poulin@hotmai To: <[EMAIL PROTECTED]>
l.com> cc:
Sent by: Subject: Security Hole in mod-ssl
owner-modssl-users@
modssl.org
05/19/2000 04:44 PM
Please respond to
modssl-users
I've seen this question asked many times over the past several weeks and
have never had anyone come up with a response that works. I think this is
a serious security problem with browsers.
Once you authenticate with a secure server, the browser remembers who you
are so that it can include that information for future requests to that
server. However I can't tell the browser to forget who I am without
closing the browser. That means that if I authenticate to a secure site,
then go off to other sites and never close my browser anyone coming along
afterwards can go back to that secure site with my full access.
I would like to be able to have multiple users share a PC and log on/off
without having to restart the browser each time.
This sounds like a straight forward problem but it is not. Part of the
problem involves being able to determine whether the user is logging on for
the first time or returning from a previous session. Without knowing that,
the only solution appears to be in forcing the user to log in twice. This
happens because our log in script automatically rejects (401 Unauthorized)
the first log in attempt. This ensures that re-visits are forced to log in
properly, but it also means that the first time in the server
authenticates, then our log in script rejects it, then they get logged in
properly.
Here are things that I have already tried.
1) cookies: They don't work because the server authentication always
happens before the script sees the cookies.
2) redirects: I thought I could redirect from a non secure page to a
secure page and force the server to authenticate. The problem was that the
browser never provided the remote-user name to the server for the non
secure page but as soon as it
got redirected it sent along the remote-user and bypassed the security
again.
3) server files: same basic problem as cookies. You don't have enough
information at the time you need it.
Does anyone have any concrete code samples or ideas that actually work?
While I'm at it does anyone know what the options in the .htaccess file
are? I am particularly interested in the "require" directive. I have
tried the modssl reference pages but that doesn't seem to be covered. I
know valid-user is one of them but what other ones are there?
Doug Poulin
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
