Hi Alan,
"Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk> wrote:
Is it possible to set the timeout for the auth cookie used by the mod_radius authentication module to 0; by Zero I mean no time, not infinite time?
You mean re-authenticate for every request? That would require source code changes.
Effectively yes, see the description of what I'm trying to do below.
Or, is there a way that I can clear the cookie on a failed login?
The module doesn't set the cookie on a failed login, so there shouldn't be any problem.
If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details. I guess it may not be a cookie if one isn't set, but the credentials are being cached somewhere.
At present, if a user login fails the user has to close the browser and open another in order to be able to re-enter their credentials, I want to try to get round this if possible.
I don't see why that would happen. The module was designed, and tested to work properly in that situation.
Can you explain more about what you're doing, how, and what browser you're using?
So far this has only been tested with IE on a patched up but otherwise std XP machine. The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway. This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed. The removal of stale connections is handled with a cron job script that compares iptables entries to the arp table on the internal interface, if there are iptables rules for an IP/MAC pair, but no arp entry for them then the iptables rules are removed. Quite crude, but it works. In summary, I have index.php that users are redirected to, this page contains a 'Log In' link to a page in a protected folder /gateway/go.php when they click the link they are challenged for credentials, if they are correct then /gateway/go.php loads setting some iptables rules, if it fails then we are currently loading a page called failed.php that explains to the user that they need to shut down the browser and open a new one and try again. An aside to this, is it possible to have a couple of text boxes on the login page where the user/pass are entered which are then sent to mod_radius, as opposed to having a pop up user/pass dialogue box? Thanks, Jezz Palmer.
Hi, Palmer J.D.F. schrieb:
If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details.
Sounds like it might be the browser that's caching the bad credentials .... :-(
This is why it doesn't matter that there is an instant timeout, as the client will not need to access the page again until his/her connection times out and the 'allowing' iptables rules are removed.
Note that you need to authenticate for every _file_ that's being transferred, so if your page contains e.g. any graphics (background image, icons, whatever) an instant timeout _will_ matter. Regards, Stefan
"Palmer J.D.F." <J.D.F.Palmer@swansea.ac.uk> wrote:
You mean re-authenticate for every request? That would require source code changes.
Effectively yes, see the description of what I'm trying to do below.
Was was pointed out, you'll get authentication dialogs for every gif & jpg on the page. This is a BAD idea.
If I get a failed login, then try to login again it just uses cached credentials and doesn't prompt for details, if I close and re-open the browser it does then allow me to enter details.
Then your browser is broken.
So far this has only been tested with IE on a patched up but otherwise std XP machine.
Read the rants in the source code for why IE isn't a web browser.
The reason for the authentication is to log into a web-redirect gateway. An iptables rule redirects any un-authenticated IP/MAC pairs to the login page; on a successful login the page (a php page which resides in a protected folder) adds some iptables rules to allow that particular client (IP/MAC pair) through the gateway.
There are "captive portal" programs that do this. Search the net for them, they'll probably be simpler to set up, and will work with IE. Alan DeKok.
participants (3)
-
Alan DeKok -
Palmer J.D.F. -
Stefan.Neis@t-online.de