New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic auth expires after 10 minutes #210
Comments
It seems that the user is authenticated indefinite, which results in a tgt with a lifetime of 10 hours. However, if basic auth is used, Is there any reason for this limit? Otherwise I would suggest setting it to |
The reason why we use a short time-frame is that browsers normally store basic auth credentials and will resend them at each call. |
I could try to provide a patch. The configuration this is used for is a HTML login form. Its backend issues a request via basic auth and sends the generated cookie back to the user. However, if the internal session expires after 10 minutes, the user would be redirected to the login page every 10 minutes, as it doesn't know about the basic authentication. |
On Mon, 2019-11-18 at 06:22 -0800, Alexander Haase wrote:
I could try to provide a patch.
The configuration this is used for is a HTML login form. Its backend
issues a request via basic auth and sends the generated cookie back
to the user. However, if the internal session expires after 10
minutes, the user would be redirected to the login page every 10
minutes, as it doesn't know about the basic authentication.
Understood, let me know if you have difficulties providing a patch, I
think the use case makes sense and is worth allowing.
Simo.
…--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
|
Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests Adds optional dependency on libfaketime to test this feature Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com>
Thanks for implementing this feature! :) |
Adds new option and tests. Adds optional dependency on libfaketime to test this feature. Fixes: gssapi#210 Signed-off-by: Simo Sorce <simo@redhat.com> Merges: gssapi#217 Reviewed-by: Robbie Harwood <rharwood@redhat.com> (cherry picked from commit 09df758) [rharwood@redhat.com: git got confused by not having localname test]
Hi everyone,
I'm using this module to authenticate the users with their AD credentials via kerberos, basic auth and a form login (which authenticates the user via PHP + basic auth). The
GssapiUseSessions
option is set toOn
, so the authentication process needs to be done only once. However, if I use basic auth for the first login and the session cookie for the following requests, the user can't be authenticated anymore after exactly 10 minutes.According to the source code, the user should be authenticated indefinite and therefore logged in as long as the session is alive. The default
krb5.conf
should obtain tickets for one day. However, the log statesand the request is terminated with an error 401.
So I guess the ticket is only valid for 10 minutes instead of a day. Is there any chance to increase this time limit? I couldn't find any hint in the source code, so I would appreciate some help.
Thanks ;)
The text was updated successfully, but these errors were encountered: