Apache LDAP Auth idle-timeout

Question

As part of the security policy we are upgrading out systems to comply with, I need to set our Apache LDAP Auth to have a idle-timeout of 15 minutes.

I.e. If the user stops using the system for over 15 minutes, the next time they go to use it they will need to re-authenticate.

Is this even possible? If so, how can I achieve it?

My auth config in my .htaccess file looks like this:

AuthName "AD Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl "URL"
AuthLDAPBindDN "DN"
AuthLDAPBindPassword "PASSWORD"
AuthzLDAPAuthoritative Off
require valid-user

Any ideas?

To clarify, do you mean that the connection to the LDAP server needs to time out, or the user's session needs to time out? — Shane Madden, May 04 '11 at 01:54
The users session - so if they idle for longer than 15 minutes, they need to re-authenticate. — Stephen RC, May 04 '11 at 02:30

score 5 · Answer 1 · answered May 04 '11 at 02:36

5

Unfortunately, basic authentication is not session-aware in any way. From the web server's perspective, they're actually forced to re-authenticate with every single request.

However, all browsers cache the credentials used for a basic auth connection, so that you don't need to re-enter credentials for every resource loaded from the server. The issue that this creates in your situation is that there's no way to 'expire' that data from the client browser; it keeps it as long as it wants.

To implement session timeouts, you may be stuck moving away from basic auth and toward a session-aware application.

answered May 04 '11 at 02:36

Shane Madden

112,982
12
174
248

Mmm... that will get annoying. Is there any way to tell the browser to forget the credentials and to re-authenticate? – Stephen RC May 04 '11 at 03:03
I don't believe so. – Shane Madden May 04 '11 at 03:11

score 0 · Answer 2 · edited Nov 06 '12 at 17:19

0

A way to manually tell the browser to forget current credentials is to open the current address with another/invalid user.

http://testuser@www.mypage.com

edited Nov 06 '12 at 17:19

chutz

7,569
1
28
57

answered Mar 21 '12 at 14:37

Skarllot

101
1

This is not portable and might not work on all browsers. In fact there's no portable way to logout when basic or digest authentication is used. – FINESEC Nov 06 '12 at 17:47

score -1 · Answer 3 · answered Jul 17 '13 at 06:40

-1

Try instructions from this site: http://search.cpan.org/~ksolomko/Apache2-AuthCookieLDAP-1.14/lib/Apache2/AuthCookieLDAP.pm

answered Jul 17 '13 at 06:40

Magochi

1

3

Welcome to Server Fault. Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Michael Hampton Jul 17 '13 at 07:02

Apache LDAP Auth idle-timeout

3 Answers3