j_irwin — 2012-03-19T23:43:07-04:00 — #1
I've recently migrated the hosting of a site that had heaps of password protected directories. The previous hosting had cPanel which the client had used to set up all the usernames and passwords and I've been able to recreate this using the .htaccess and .htpasswd files as the new hosting doesn't have cPanel. All seemed to be working the same however we've just discovered that if you've entered your username/password once, it won't ask for it again - even if you've closed down the browser. This seems to be a new issue - I'm pretty sure during all my testing I was always asked for the username and password.
Is there a way to end a session using .htaccess? From everything I've read, the session should be ended (and the username/password forgotten) when the browser is closed but this isn't the case. There is no 'remember me' that has been ticked.
doug_g — 2012-03-20T00:39:47-04:00 — #2
The browser caches the login credentials, not the server. Completely close and then reopen your browser and you'll have to re-enter your username/password.
With firefox anyway there is a menu choice where you can reset credentials.
j_irwin — 2012-03-20T01:26:28-04:00 — #3
I have completely closed and reopened the browsers. Appears to behave correctly on an XP machine, however on Windows 7 IE and Chrome still hold onto the credentials.
dklynn — 2012-03-20T02:56:50-04:00 — #4
As you are aware, sessions are generally saved as cookies which can be set with an expiration date. Lacking an expiration, the cookie is automatically destroyed when the browser is closed. Therefore, your session cookies are being set with an expiration date (some time into the future). If you look into your login code, you should see this and remove the expiration date from the code which sets the session variables.
As for mod_rewrite, yes, it can access cookies using the CO flag:
What you can do is apply this to all scripts/pages (i.e., not to js, css, jpg, etc.) and arbitrarily set all lifetime values to either 0 or to 5 minutes. This could be the solution you're looking for (assuming you know the name of the cookie/session and the domain).
j_irwin — 2012-03-27T23:20:07-04:00 — #5
All that is in the htaccess file is:
AuthName "Newcastle City Council Username and Password required"
Not sure where a cookie would be set? It was all set up through cPanel Password Protected Directories.
dklynn — 2012-03-27T23:46:48-04:00 — #6
I believe that the Apache password protection is supposed to remain until the browser closes as a default action of the browsers.
To better protect your directory access, require $SESSION to login. The cookie is set by the sessionstart() should include the expiration time (normally when you close the browser but you can also specify a session_destroy() to ensure it will close with the script).
Are you using sessions? If you can't see the code, disable cookies then reload the page and look for an odd query string.