I need to figure out how to log a user off our
web site and ensure that they re-authenticate the next time they hit our
site.
On the surface this seems like a very simple
problem but it is not. Here is what happens.
A user logs on to our site using modauth, from an
IE5 browser. They do a bunch of things and then they go off to some
other URL, or for a coffee. If they don't
close every single browser window then they remain authenticated to our site
FOREVER! They (or anyone else sharing the same PC) can return to our
site and they get access right away without any authentication.
We have hospitals using our site who have many
staff sharing a PC, who each need to be able to sit down, look up some info,
then log off without a lot of hassles.
Sending a 401 Unauthorized doesn't work because I
can't tell the difference between someone legitimately logging in properly and
one returning from a previous session.
There doesn't seem to be anything in the browser
you can shut off, modify or otherwise fool. CGI scripts come into play
far too late since all of the authenticating (or non-authenticating) has
already passed. I tried looking at the SSL_SESSION_ID but it appears to
be different for every single hit to our web site from the same PC and browser
window.
My httpd.conf file is pretty much default.
SSLSessionCache is set to shm:/var/cache/ssl_scache(512000)
SSLSessionCacheTimeout
is set to 300
I can get back onto my site hours later
(certainly more than 5 minutes) without re-authenticating. Does anyone
have any ideas where to go from here? I'm really stumped...
