Hosting Provided By

HTTP authentication and session timeout

From: UDP 53 <udp53(at)hotmail.com>
Date: Mon Nov 25 2002 - 06:13:02 EST

I am looking at a web app which uses HTTP authentication (over SSL) for user login. No mechanism is employed for session state management, and the app relies upon the default browser behaviour (of resending the encoded authentication string with each subsequent request) in order to re-identify the user through their session. No form of timeout is enforced by the server.

Does anyone know if it is possible to enforce any kind of server-side timeout in this set-up? I.e., is there a way for the server to instruct the browser to destroy the cached login credentials, so that the user must reauthenticate?

UDP53

Received on Mon Nov 25 09:55:49 2002

This message: [ Message body ]
Next message: zeno: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Previous message: Dave Aitel: "Re: web appliaction security products (AKA application firewalls)"
Reply: Dawes, Rogan (ZA - Johannesburg): "RE: HTTP authentication and session timeout"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT