Jump to content


Photo
- - - - -

Web server quirk or misconfiguration?


  • Please log in to reply
4 replies to this topic

#1 123

123

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2170 posts
  • Location:Montreal, QC
  • Experience:average
  • Software:Premise
  • Hardware:Elk M1

Posted 10 June 2008 - 08:53 AM

I'm now able to connect to my Premise Server, from a remote location, using SSL. A dialog box pops up and challenges me to identify myself. After logging in, I have full access to the Premise Browser UI. All good, so far.

The problem seems to be that the session's authentication persists even after I log out. It goes like this:
  • Connect (1st time)
  • Authentication is requested
  • Login
  • Do stuff
  • Logout
  • Close browser tab
  • Connect (2nd time)
  • No authentication is requested ... !?!
Play-by-play:
  • I'm logged in.
  • I click "Logout" and it ushers me to the "Users" page.
  • I close the tab in IE7.
  • I enter the URL for the Premise server.
  • This time I am not challenged to authenticate myself; it presents the "Users" page.
  • If I close IE7, restart it, enter the URL, I will be asked to login. The session's authentication appears to be cached somewhere and flushed only if IE7 is restarted.
OK, web gurus, what's happening here? Is the web server holding on to the session when it should have been purged after logout?

Is any of this session-handling stuff configurable in Premise's web server?


FWIW, using the same browser, my bank's web site does not behave this way. If you re-connect you willl be asked to identify yourself again.

Edited by 123, 10 June 2008 - 09:02 AM.


#2 huggy59

huggy59

    Dedicated Cocooner

  • Registered
  • PipPipPip
  • 608 posts
  • Location:Maine, USA, Earth, Milky Way
  • Experience:guru
  • Software:Open Source Automation, Custom
  • Hardware:Ocelot, Custom
  • Tech:X10-PLC, X10-RF, 1-Wire, Custom
  • Audio:Custom
  • Video:Custom
  • CCTV:ip, dvr

Posted 10 June 2008 - 08:52 PM

No, your browser is cacheing the info. This is how the web works with simple authentication. If you close ALL your browser windows and restart your browser, you will again be challenged for an account and password. This is exactly why most secure sites (including some banking sites) warn/suggest you to shut down your browser after you finish your secure session at their site - because your browser is still holding on to the authentication info. There are ways around it, but it depends on how the browser and the web server communicate and what mechanism they use for this authentication.

#3 123

123

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2170 posts
  • Location:Montreal, QC
  • Experience:average
  • Software:Premise
  • Hardware:Elk M1

Posted 10 June 2008 - 09:15 PM

Thanks for the reply!

I'm ready to defer to your explanation ... except for the fact that I see other sites behave differently. For example, if I logout of eBay and then click the Browser's Back button, I'll see the last web page I visited while logged in to eBay ... compliments of the browser's cached web pages. However, if I attempt to access "Leave Feedback", eBay challenges me to identify myself.

Seems to me if I click "Logout", the web server should purge my web-session. Without the original session data, does it not make sense that any browser-cached authentication would be invalid with a new session?

Edited by 123, 10 June 2008 - 09:16 PM.


#4 John Hughes

John Hughes

    Dedicated Cocooner

  • Manufacturers
  • PipPipPip
  • 839 posts

Posted 11 June 2008 - 12:58 AM

It depends on the type of authentication. If it is authentication between the web browser and web server (like Basic or Windows authentication) then the authentication data is stored in your browser until you close it (or in IE you can disable this feature all together with a registry setting). The web application has no control over it... (well that's not completely true, you can flush the entire browser auth cache, but that clears all sites).

If the authentication is between the web browser and web application (as opposed to the web server) like cocoontech, hotmail, etc then the application has control over making you sign in again.

Hope this helps.

Johnny

#5 123

123

    Cocoonut

  • Registered
  • PipPipPipPip
  • 2170 posts
  • Location:Montreal, QC
  • Experience:average
  • Software:Premise
  • Hardware:Elk M1

Posted 11 June 2008 - 06:53 PM

Thanks for your help, gents.

In this case, I believe the authentication is between the browser and the web server as opposed to the web app. The login dialog box is a standard Windows form as opposed to fields within the web page.

I'll just have to remember to close the browser to purge the authentication info! A bit of a drag but at least the communications link is encrypted.


PS
I can see the web-sessions objects listed in Premise's web server. I thought that if I deleted my web-session (after logging out) I could purge the ability to re-establish the connection. Nice idea but Premise won't let you manual destroy web-session objects ... well, Builder lets you believe you can but if you restart Builder the deleted sessions reappear. Oh well.

Edited by 123, 11 June 2008 - 06:59 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users