Securing Your Web Pages with Apache Page 13

By Ken Coar (Send Email)
Jun 29, 2000

- Digg
- DZone
- Reddit
- Slashdot
- StumbleUpon
- del.icio.us
- Facebook
- FriendFeed
- Furl

I've tried to address most of the common questions about Apache's security mechanisms that keep cropping up, but here are a couple I didn't cover (but which are still common):

Q:: How do I invalidate credentials? Someone has logged in to a protected page, but now wants to 'log out' so no-one else can use his browser window to access the page without logging in again. How do I make his browser forget the credentials that worked the first time?
A:: The simplest way is to redirect the client to a script that always returns a '401 Unauthorised' status, no matter what. That tells the client its credentials are invalid, so it should throw them away. To make this work, the script needs to be in the realm for which the credentials are being invalidated. The big disadvantage to this method is that the default client behaviour on getting a 401 status is to ask the user for new credentials -- so it's not a seamless operation. For a truly invisible invalidation of credentials, you need to remove them from the authentication database -- which means the user won't be able to log back in again. {sigh} It's not an easy thing to do; read the various discussions about it on the www-talk mailing list archives at the W3C.
Q:: How can I use the dbmmanage tool to manage an AuthDBMGroupFile database?
A:: In a word, you can't. At some point in the Apache 1.3 development cycle, the dbmmanage script was altered in such a way that it can now only deal with user files, and not with group files any more. This is a known deficiency, though, and hopefully the ability to handle group files will be added again to a release in the not-too-distant future.