As part of the security policy we are upgrading out systems to comply with, I need to set our Apache LDAP Auth to have a idle-timeout of 15 minutes.
I.e. If the user stops using the system for over 15 minutes, the next time they go to use it they will need to re-authenticate.
Is this even possible?
If so, how can I achieve it?
My auth config in my .htaccess file looks like this:
AuthName "AD Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPUrl "URL"
AuthLDAPBindDN "DN"
AuthLDAPBindPassword "PASSWORD"
AuthzLDAPAuthoritative Off
require valid-user
Any ideas?
Best Answer
Unfortunately, basic authentication is not session-aware in any way. From the web server's perspective, they're actually forced to re-authenticate with every single request.
However, all browsers cache the credentials used for a basic auth connection, so that you don't need to re-enter credentials for every resource loaded from the server. The issue that this creates in your situation is that there's no way to 'expire' that data from the client browser; it keeps it as long as it wants.
To implement session timeouts, you may be stuck moving away from basic auth and toward a session-aware application.