Details
-
Suggestion
-
Resolution: Obsolete
-
None
Description
Taken verbatim from http://forums.atlassian.com/thread.jspa?messageID=257346810�
Hey All,
Ive created a patch against Crowd-Apache-Connector (http://confluence.atlassian.com/display/CROWD/Integrating+Crowd+with+Apache)
To allow Idle session timeouts in basic http auth.
It does this by maintaining a Cache::FileCache table (the same as Crowds auth cache).
The session is based on the remote ip (fetched from the apache request object) and the supplied username.
It performs the session check AFTER they have been successfully authenticated..this is to stop storing sessions on random user connects.
Configuration is pretty simple and by default idle session timeouts are disabled.
Id like for Atlassian to include this patch in further versions of the crowd apache connector as this allows basic http auth with crowd in apache to be compliant for things like PCI DSS which requires idle sessions be logged out.
Documentation:
New configuration options are added to support this:
PerlSetVar CrowdIdleSessionsEnabled off
PerlSetVar CrowdIdleSessionsTimeout 300
PerlSetVar CrowdIdleSessionsLocation /tmp/CrowdIdleSessionsCache
I should also note, currently sessions do not expire...this is because technically someone could leave an authenticated browser open for an indefinite time and if the session has been cleaned up then they can refresh and still be authenticated...
UPDATE: Noticed a bug in checking if CrowdIdleSessionsEnabled was set to off it wasnt taking effect. have uploaded v2 which fixes this
Any Questions/Criticisms please let me know.
Cheers
Brendan
