Forum Moderators: phranque
I run Apache Server (V2.0) on a Windows 2000 machine. I use this mainly for demo purposes, so I quite frequently edit the httpd.conf file (to point to a new directory) and then stop and restart the Apache service. Thus serving a totally different site.
This afternoon I did this to point to a Family Tree application on the server. (it's all straight html 4.01 transitional code with javascript). Opening the site in Firefox, I noticed that I had forgotten to include the usual security measures that I use on this site.
I then edited httpd.conf to include the following lines.
AuthType Basic
AuthName "Family members Only"
AuthUserFile /Accounts/passwords
Require valid-user
I then stopped and restarted apache, but found that I could still navigate the site with Firefox, without any sign of security.
I then put a subdirectory into the website and dropped the entire site into this. At the root, I created a brand new Index.html file with a link to the FamilyTree/Index.html file. I then added the same basic security within <directory> tags for the subdirectory containing the main site.
Having stopped and restarted appache, I then refreshed Firefox and found my brand new Index.html file. Clicking on the link it took me into the main site, STILL with no sign of security. I then changed all the user passwords in my passwords file.
Going back to firefox I find that this has had absolutely no effect. It is still able to navigate the entire site with impunity.
To double check my configuration I then opened Internet Explorer. Pointing this at the site, I am immediately prompted for a username and password.
It then occured to me that Firefox had been open throughout this entire process. (Even though I had redirected it to www.google.com, cleared the cache, and returned to my site on several occaisions). So I closed Firefox, and restarted it and AT LAST, it prompts for a username and password.
It would appear then, that a session started with Apache server, can persist through configuration changes, and restarts of the server.
Is this a bug?
Review the server access log. I think you'll find no requests for any of the password-protected pages, because Firefox served them to you from its cache instead of fetching them from the server. If no access is made to the server, then no server-side code or access controls can have any effect.
There is no practical difference in the handling of authoriozation and authentication between IE and Mozilla.
Jim
Looking at the Access logs reveals that I had accessed all the pages in the subdirectory /FamilyTree As you'll note from my previous post. This subdirectory didn't exist at any time without security.
Also my brand new Index.html which just had one line in the body
<a href="FamilyTree/index.html>Click here to continue</a>
If anyone has Firefox and would like to arrange a test, I can recreate the situation live.
ie. remove security lines.
Allow user to connect
Add security
restart apache
User is still able to continue browsing, as long as they don't close their browser.
All without the user having to provide any password.
There is no practical difference in the handling of authoriozation and authentication between IE and Mozilla.I never said there was. The only diference in my case, was that Firefox already had a session open, BEFORE I applied the security and restarted Apache.
If by "session" you mean that you had previously logged-in with Firefox, then that would make sense. But if you mean "PHP session," as in "SESSIONID=," or any other kind of "session" then that won't apply, because Basic mod_auth doesn't know or care about sessions at that level.
When you "log in" to a mod_auth protected area, your browser will send your authentication data (username, password) with each subsequent request to the server for resources (pages, images, etc.) in the "authentication domain" that you defined - generally a protected directory and any subdirectories of that directory. That's why there is no "log out" function when using mod_auth; The "login" persists until you close your browser because it is the browser that maintains the "logged in" state by sending the auth "login" data with each request.
Hopefully, that may throw some light on the subject.
Jim
