OK. This may be the wrong place to ask this, but perhaps someone here can help me out anyway.
When a user comes to one of my sites, they are authenticated via mod_auth_mysql. I'd like to have my system timeout a session for a user after a period of inactivity. In other words, if the user has not refresshed the page or whatever in 1 hour, I'd like them to have to login again.
I've been looking to see if this is an apache thing, or an authorization thing, or whatever, but I can't really find anything out. If someone could even just let me know which FM to RT it would be helpful! ;)
Thank!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You probably can't find anything out because it's not really built into the Apache authentication mechanism.
Authentication is handled between the browser and Apache, outside of any sessions, etc. Every access to a protected resource requires the browser to send the userid and password to Apache. After the first request for a protected resource (which pops up the userid/password window), the browser caches this information in memory.
There is no way from the Apache side to clear the information, and no way to tell if the userid and password coming into Apache are from a logon window or from the cache.
And since this doesn't involve sessions or cookies, there isn't anything you can clear from your web page.
Sorry.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OK. This may be the wrong place to ask this, but perhaps someone here can help me out anyway.
When a user comes to one of my sites, they are authenticated via mod_auth_mysql. I'd like to have my system timeout a session for a user after a period of inactivity. In other words, if the user has not refresshed the page or whatever in 1 hour, I'd like them to have to login again.
I've been looking to see if this is an apache thing, or an authorization thing, or whatever, but I can't really find anything out. If someone could even just let me know which FM to RT it would be helpful! ;)
Thank!
Hi, Anocelot,
You probably can't find anything out because it's not really built into the Apache authentication mechanism.
Authentication is handled between the browser and Apache, outside of any sessions, etc. Every access to a protected resource requires the browser to send the userid and password to Apache. After the first request for a protected resource (which pops up the userid/password window), the browser caches this information in memory.
There is no way from the Apache side to clear the information, and no way to tell if the userid and password coming into Apache are from a logon window or from the cache.
And since this doesn't involve sessions or cookies, there isn't anything you can clear from your web page.
Sorry.
Jerry