0

In my VirtualHost config, I have a logout redirection which doesn't seem to work. I always get connection reset on either Firefox or Edge (latest versions) Here's my apache config:

Alias /logouttest /var/www/html/logouttest
LogLevel trace8
CustomLog /var/log/httpd/q-folder/access_log common
ErrorLog  /var/log/httpd/q-folder/error_log
DocumentRoot /var/www/html/logouttest

<Directory /var/www/html/logouttest>
  AllowOverride all
  Options -MultiViews

  AuthType Basic
  AuthName "please login"
  AuthBasicProvider ldap
  AuthLDAPURL ldap://xx.xxxxx.xx:389/OU=xxxxxx,OU=company,DC=xxxxx,DC=xx?sAMAccountName?sub?(objectclass=*)
  AuthLDAPBindDN  CN=LDAPQuery,OU=xxxxx,OU=xxxxxx,OU=xxxxxx,DC=xxxx,DC=xx
  AuthLDAPBindPassword 'xxxxxxxx'
  Require valid-user

  RewriteEngine On
  RewriteCond %{LA-U:REMOTE_USER} (.+)
  RewriteRule . - [E=RU:%1,NS]
  RequestHeader add X-Forwarded-User %{RU}e

  Session On
  SessionCookieName session path=/

</Directory>


<Location "/logout">
  SetHandler form-logout-handler
  AuthType Basic
  AuthName "please login"
  AuthFormLogoutLocation "/logout/logout.html"
  Session On
  SessionCookieName session path=/
</Location>

Note that the LDAP login works perfectly. Now I just want to clear the session when a user logs out.

The Apache error_log shows (just the piece when I click the logout button, which has a href to /logout/logout.html):

[Sat Jan 09 23:23:07.229311 2016] [core:trace5] [pid 15959] protocol.c(618): [client 000.00.0.00:62284] Request received from client: GET /logout/ HTTP/1.1
[Sat Jan 09 23:23:07.229431 2016] [http:trace4] [pid 15959] http_request.c(301): [client 000.00.0.00:62284] Headers received from client:, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229441 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Host: 000.00.0.000, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229445 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229453 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229458 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Accept-Language: de-CH,en-US;q=0.7,en;q=0.3, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229462 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Accept-Encoding: gzip, deflate, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229465 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   DNT: 1, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229468 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Referer: http://000.00.0.000/logouttest/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229472 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Authorization: Basic cGhpbGlwcGI6bGFzcG85MyRxcA==, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229475 2016] [http:trace4] [pid 15959] http_request.c(305): [client 000.00.0.00:62284]   Connection: keep-alive, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229651 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229666 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229761 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(501): [client 000.00.0.00:62284] AH01691: auth_ldap authenticate: using URL ldap://xxxx.us/OU=xxxx/OU=kjkjkj/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229781 2016] [authnz_ldap:trace1] [pid 15959] mod_authnz_ldap.c(522): [client 000.00.0.00:62284] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=myuname)), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.229995 2016] [ldap:debug] [pid 15959] util_ldap.c(372): AH01278: LDAP: Setting referrals to On.
[Sat Jan 09 23:23:07.539806 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(593): [client 000.00.0.00:62284] AH01697: auth_ldap authenticate: accepting myuname, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.539845 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.539850 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.539963 2016] [rewrite:trace3] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] [perdir /var/www/html/logouttest/] strip per-dir prefix: /var/www/html/logouttest/logout/ -> logout/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.539990 2016] [rewrite:trace3] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] [perdir /var/www/html/logouttest/] applying pattern '.' to uri 'logout/', referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540109 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540118 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540138 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(501): [client 000.00.0.00:62284] AH01691: auth_ldap authenticate: using URL ldap://xxxx.us/OU=xxxx/OU=kjkjkj/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540145 2016] [authnz_ldap:trace1] [pid 15959] mod_authnz_ldap.c(522): [client 000.00.0.00:62284] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=myuname)), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540159 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(593): [client 000.00.0.00:62284] AH01697: auth_ldap authenticate: accepting myuname, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540165 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540169 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540232 2016] [rewrite:trace1] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb4a1770/subreq] [perdir /var/www/html/logouttest/] pass through /var/www/html/logouttest/var, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540313 2016] [rewrite:trace5] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] [perdir /var/www/html/logouttest/] lookahead: path=/var/www/html/logouttest/logout/ var=REMOTE_USER -> val=myuname, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540348 2016] [rewrite:trace4] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] [perdir /var/www/html/logouttest/] RewriteCond: input='myuname' pattern='(.+)' => matched, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540356 2016] [rewrite:trace5] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] setting env variable 'RU' to 'myuname', referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540363 2016] [rewrite:trace1] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb49d770/initial] [perdir /var/www/html/logouttest/] pass through /var/www/html/logouttest/logout/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540441 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540450 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540469 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(501): [client 000.00.0.00:62284] AH01691: auth_ldap authenticate: using URL ldap://xxxx.us/OU=xxxx/OU=kjkjkj/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540476 2016] [authnz_ldap:trace1] [pid 15959] mod_authnz_ldap.c(522): [client 000.00.0.00:62284] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=myuname)), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540489 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(593): [client 000.00.0.00:62284] AH01697: auth_ldap authenticate: accepting myuname, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540495 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540499 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540548 2016] [rewrite:trace1] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb493720/subreq] [perdir /var/www/html/logouttest/] pass through /var/www/html/logouttest/logout/index.html, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540624 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540632 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540641 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(501): [client 000.00.0.00:62284] AH01691: auth_ldap authenticate: using URL ldap://xxxx.us/OU=xxxx/OU=kjkjkj/, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540647 2016] [authnz_ldap:trace1] [pid 15959] mod_authnz_ldap.c(522): [client 000.00.0.00:62284] auth_ldap authenticate: final authn filter is (&(objectclass=*)(sAMAccountName=myuname)), referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540659 2016] [authnz_ldap:debug] [pid 15959] mod_authnz_ldap.c(593): [client 000.00.0.00:62284] AH01697: auth_ldap authenticate: accepting myuname, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540665 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of Require valid-user : granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540669 2016] [authz_core:debug] [pid 15959] mod_authz_core.c(809): [client 000.00.0.00:62284] AH01626: authorization result of <RequireAny>: granted, referer: http://000.00.0.000/logouttest/
[Sat Jan 09 23:23:07.540702 2016] [rewrite:trace1] [pid 15959] mod_rewrite.c(468): [client 000.00.0.00:62284] 000.00.0.00 - myuname [000.00.0.000/sid#7f00bae5d258][rid#7f00bb497740/subreq] [perdir /var/www/html/logouttest/] pass through /var/www/html/logouttest/logout/index.php, referer: http://000.00.0.000/logouttest/

No chance for me so far to show the logout page. Thanks for any help.

Phipsen
  • 159
  • 3
  • 15

1 Answers1

0

here is my well work configuration.

configuration-part in httpd.conf 

------8<----8<------
<Location /logout>
  SetHandler form-logout-handler
  AuthFormLogoutLocation "/login_logout/logout.html"

  Session On
  # Session laeuft in einer Sekunde ab
  SessionMaxAge 1
  SessionCookieName form_auth_session path=/
  SessionCryptoPassphrase "<CryptoPassPhrase>"

</Location>

<Location />
        AuthFormProvider ldap file
        AuthLDAPURL "ldap://<LDAP-DN-URI>"
        AuthUserFile <save_pfad>/.htpasswd

        AuthName "authenticationform"
        AuthType form
        ErrorDocument 401 /login_logout/do_login.php
        AuthFormFakeBasicAuth on

        Session On
        # Anmeldung 3Monate = 31+30+31= 92 Tage * 24h * 3600 Sekunden = 7948800 Sekunden gültig
        SessionMaxAge 7948800
        SessionCookieName form_auth_session path=/
        SessionCryptoPassphrase "<CryptoPassPhrase>"
</Location>
------8<----8<------

You should use the Module "session_crypto_module". Reason: You can see in the session-cookie the LoginCredential in clear text =:-/ 

LoadModule session_crypto_module modules/mod_session_crypto.so

somewere in apache-configuration virtualhosts .htacces or other places

------8<----8<------
<Location /secure/>
  Require valid-user
</Location>
------8<----8<------

PHP-Script do_login.php that can switch to Secure-URL (creating with helps of stackoverflow.com ;-) )

<?php
// Source: [http://stackoverflow.com/questions/6768793/get-the-full-url-in-php][1]
function url_origin( $s, $use_forwarded_host = false )
{
    $ssl      = ( ! empty( $s['HTTPS'] ) && $s['HTTPS'] == 'on' );
    $sp       = strtolower( $s['SERVER_PROTOCOL'] );
    $protocol = substr( $sp, 0, strpos( $sp, '/' ) ) . ( ( $ssl ) ? 's' : '' );
    $port     = $s['SERVER_PORT'];
    $port     = ( ( ! $ssl && $port=='80' ) || ( $ssl && $port=='443' ) ) ? '' : ':'.$port;
    $host     = ( $use_forwarded_host && isset( $s['HTTP_X_FORWARDED_HOST'] ) ) ? $s['HTTP_X_FORWARDED_HOST'] : ( isset( $s['HTTP_HOST'] ) ? $s['HTTP_HOST'] : null );
    $host     = isset( $host ) ? $host : $s['SERVER_NAME'] . $port;
    return $protocol . '://' . $host;
}

function full_url( $s, $use_forwarded_host = false )
{
    return url_origin( $s, $use_forwarded_host ) . $s['REQUEST_URI'];
}

$absolute_url = full_url( $_SERVER );

?>
<html>
  <head>
    <title>Form-Auth: <?php echo $absolute_url?></title>
  </head>
  <body>
    <center>
      <table style="margin-top:2em;" border=1 cellspacing=0>
        <tr><th nowrap bgcolor=skyblue><?php echo $absolute_url ?></th></tr>
<?php
if (preg_match("/^http:/", $absolute_url))
{
  $save_absolute_url=preg_replace("/^http:/", "https:", $absolute_url);
?>
        <tr>
          <th nowrap align=middle style="padding:2em; background:#ff0000;color:yellow;">
              KEINE sichere Verbindung !!!<br> Passwort wird in Klartext &uuml;ber das Netz &uuml;bertragen !!! <br><br>
              Weiterleitung: [<a href="<?php echo $save_absolute_url?>"><?php echo $save_absolute_url?></a>]
          </th>
        </tr>
<?php
}  // end if (! preg_match("/^https:", $absolute_url))
?>
        <tr><td nowrap align=middle style="border-bottom:0;">WIN2003-Anmeldung erforderlich ...</td></tr>
        <tr>
          <td nowrap align=middle style="border-top:0; padding-top:1em;padding-left:2em;padding-right:2em;padding-bottom:0;">
            <form method="POST" action="">
              User: <input type="text"     name="httpd_username" value="" placeholder="Benutzername" />
              Password: <input type="password" name="httpd_password" value="" placeholder="Password" />
              <input type="submit" name="login" value="Login" />
            </form>
          </td>
        </tr>
      </table>
    </center>
  </body>
</html>

These configuration is very reliable and comfortable. I hope that solved your Problem.

Many Greatings :-)

Heiko Budras
  • 1