authentication : double login because of not expired cookie

[Pieter Vernooij]

Experts,

For a project I'm involved in, I've successfully setup Radius authentication (using OTP) between a web application (which includes an Apache webserver and mod_radius_auth) and an (external) Radius server. (Relevant: I've set cookie expiry time to a time interval of 8 hours, as choosing a shorter time interval caused problems in the behavior of my web application.)

However, I have some difficulties with Radius cookie-expiry behavior.

When a user closes the webapplication (after a successful login), and tries to login again with his username + token (having a cookie on his system which has not been expired yet):
- the web browser either gives a 401 error page or
- asks for re-authentication (asking for credentials again..)

(exact behavior is browser dependent). After such message, the user can login again.  It seems that the older cookie is then discarded / invalided. This is rather user unfriendly.

Does anyone has an idea how to deal with this? Best would be to have the cookie deleted from my system after the user logs off or closes the browser. Is turning to mod_auth_xradius a possible solution ? Or can I tweak something on Apache level?

Thanks you ever so much and greetings from the Netherlands,
Pieter







cheers,
Pieter




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140625/fbbdbd73/attachment.html>