|
Sean Davis
sdavis2 at mail.nih.gov
Fri Oct 20 19:11:35 EDT 2006
durumdara wrote: > Hi ! > > I want to create a site with restricted area. > I use apache auth., but I don't know, how to controll it later. > The documentation is very laconic in this theme, and I cannot > understand, how to join/link my dbmsession based user management with > this auth. method. > > I need a restricted area that containing private informations, pages > that I don't want to show. > Apache can keep out the non-valid users. > In normal way of the login when I want to intrude to a restricted > area, a login form I get. > Then I can auth. myself, and the application is store UserID, > LoginTime, etc. > After that I can see the content I need. > > This section of my code/site I can create, because in the auth. > handler script I can login, later in the req. handler script I can > catch the username, and if I don't have specific values in Session, I > can write them into user Session. > Later I can check these values, and I can control the page view. > > BUT ! > I don't know, how to control this Apache auth. later. > If Session time expired, I need to clear the Apache auth. values > (user, pwd). If don't do this the apache auth. handler allow to access > the restricted files. > When this Apache auth. finished ? How to I force to finish/expire ? You can't log a user out using basic auth. You will need to use a cookie or a hidden field to store a secure token that you can check against your session for the same user. If the token doesn't exist (first login) or the tokcn is associated with an expired session, then you can do your authorization, but that authorization cannot be basic auth if you want to "expire" or log a user out. This fact is a well-known limitation of basic authorization. Sean
|