[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Timeout
 Date:  Sun, 16 Oct 2005 23:13:43 -0400
On 10/16/05, Frank Cisler <fcisler at gmail dot com> wrote:
> Hello all,
> Quick question.....How long is the timeout for the web gui?
> Reason i ask is that my ibook flops around the room. It's got
> 802.11bwireless. My wifi network is OPT1, and has captive portal on
> it. About 2
> days ago i logged in to look at the logs...checked them out, closed the
> ibook. Opening it up 2 minutes ago, authenticating to captive portal, then
> hitting refresh on the stats page...to my suprise....it refreshed....i
> browsed around other pages and it's STILL available. If i close the page,
> then re-open it, it prompts for password though.
> This seems like a bit of a security flaw to me.....can anyone else test?

This is a function of your browser, not the server (m0n0wall in this
case).  The way HTTP(S) basic auth works is your browser caches your
credentials and presents them for every request to that server.  Most
browsers hold onto this until you close the browser, but some have
ways to clear the authentication manually.