8

I've protected a directory with satisfy and basic_auth, but seems that the validation is not stored in a cookie which after some time it's deleted, seems it's ip or something based. So i login once and eve if i keep the website open for half an hour, it does not re-request the validation.

Is there a way to set a timeout? ie, get access 10 minutes and after that, have to login again if clicking on a file?

Adrian Heine
  • 328
  • 4
  • 22
Gabriel
  • 416
  • 2
  • 7
  • 19

2 Answers2

8

Excerpt from section Disadvantages from wikipedia article about HTTP authentication

Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without closing the browser. This is a significant defect that requires browser manufacturers to support a 'logout' user interface element (mentioned in RFC 1945, but not implemented by most browsers) or API available to JavaScript, further extensions to HTTP, or use of existing alternative techniques such as retrieving the page over SSL/TLS with an unguessable string in the URL.

AlexD
  • 8,179
  • 2
  • 28
  • 38
4

This question is very similar to https://stackoverflow.com/questions/8034899/%20nginx-auth-basic-time-limitation and the answer there is most useful. I won't duplicate it here.

woolfie
  • 161
  • 1
  • 4