Re: the password protected web pages, Can they be timed out?

[mtsal]

Hi,
The password protection works great for the web pages but noticed that the page(s) don't really time out if an EMP leaves the web page open over an extended amount of time. Can the .htaccess file actually be set to force the user to relogin to the password protected directory(s) and pages?

Regards,
mtsal

[Dolda2000]

That's not really how it works. The server doesn't cache that type of login at all. The reason why it doesn't time out is because the client (a.k.a. web browser) is caching the login data (including the password). Therefore, there isn't a server-side way to do that unless you want to reimplement the entire thing in PHP (or the like) instead.

[mtsal]

I thought that there might be a directive that could be set to a time limit or so. Thanks for the explanation.

[nikhil]

so timeout functionality cannot be implemented on the server side if using Apache?

[Dolda2000]

It cannot be implemented on any server, in fact, since the information is cached solely on the client. The server, whatever software it might be running, doesn't have any control over it.

[Hellmasker]

are u using cookies for authetication or just straight login then go nuts. With any sort of cookie setup u can limit the seesion time to say 20mins, then they will have to log in again if they leave the page for 20 mins

[Dolda2000]

Yes, but HTTP "Basic authentication" doesn't use cookies. That is why I said that reimplementing it with PHP session control would help solve the problem, since that would use cookies.

[mtsal]

Hey Dold2000,
Was impressed with an info.php file you scripted at a different posting. I'd like to borrow it if I may for some brief security testing on some of our pcs that contain external addresses? What all do I require to get it working?

mtsal

[Dolda2000]

I think that the PHP file probably isn't the best way to do that, since all it does is call some shell commands to get the actual info. The reason I made it into PHP was to show that a web page could do that.

What exactly is it that you want to do? If it is the port scanning that you're interested in, all I used for that was nmap, which comes with many distributions. Just run "nmap <ip address or hostname>" to scan someone. To scan for the operating system as well, run "nmap -O <address>".

[mtsal]

We do manual nmaps but thought it would be convenient to do some our scans by just typing in the link. I gave it a whirl just a few minutes ago but, all we came up with was a blank page. The development server is php capable and is currently running some internal php web pages. Why is the page turning up blank though and not working as jubilently as it does on your site?

mtsal