I need some advice. We have Apache running on several internal application servers within our manufacturing sites. We have Apache talking to our internal LDAP server so with the correct configuration of Apache, we now get prompted for our username and password when we go to the protected html/cgi pages of our webserver.

We had to setup a common PC in several areas that would allow access to our website for privileged and non-privileged users to walk up and use.

After IE or FF gets a successful the username and password, it caches this username/password up until you close browser. So once a privileged user uses the browser, they must remember to close it and re-start it again to clear their cached username/password. Of course they forget leaving all their permissions open for anyone to use.

So… Is there a way to tell the browser to forget this information without closing the browser altogether? It would be nice if this “cached” username/password that the browser is automatically doing on their own to expire after some idle period time. We can setup these PCs anyway we like, but as it is now we can only remind them to shut down the browser and re-start for normal use again.

Thanks

Are you sure that your server isn't dropping a server-side or user-side cookie? In any case, the behavior of these browsers in that regard (you can turn off remembering passwords in the first place) is configurable, as long as the server isn't remembering this data for them. But, one of your public users could change the settings back, unless some measures are taken to prevent that. There are also 'kiosk' browsers available that can be ordered and/or setup in any fashion you require.

You could have it timeout with 5 minutes of inactivity, perhaps.

Are you sure that your server isn't dropping a server-side cookie? In any case, the behavior of these browsers in that regard is configurable, as long as the server isn't remembering this data for them.No, I guess I don't know that for sure!? :o

I sure didn't configure Apache to do anything different than what would be the default in this regard.

I didn't even think about Apache knowing the difference between each instance of a browser running on a PC. Like if I launch the browser and auth in. All pages pulled up don't prompt. Close it and then it does auth again. Now at the same time the browser is auth'd, I can bring up another instance of the browser, it will prompt me again for the password the first time.

So if it is server-side, I have to wonder if there would be such a thing as expiring on inactivity.

Since the comment was brought up that it might be server-side, I did a little poking around on the Apache web-site and found this excerpt from their pages.


Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

While I might have hoped that there might be a solution, I don't think that it sounds promising. :(

There are 'kiosk' browsers that can be used. These can be gotten in just about any configuration one desires.

Also, I use PayPal quite a bit in my work and the browser never remembers the password, only the username. I always assumed that this was because I have 'auto complete' (in IE - or its equivalent in others) turned off and the form field for the password is type="password".