How To Change Session Time Out In Apache?
Posted On Mon Sep 08, 2008 By brian jolset In Linux Forums And Topics Discussions For Wallpaper Websites Running On Linux Servers Forums
can you please help me.
i want to make my webserver more secured, and i want to be able to change my settings to time out instead of just staying forverver. i think by default, apache times out after a certain period. but im not sure if this is really set in apache or in php. i searched /etc/httpd/conf/httpd.conf and /etc/php.ini but i could not find any settings with sessions.. the closest i could find was this:
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
thanks in advance
i want to make my webserver more secured, and i want to be able to change my settings to time out instead of just staying forverver. i think by default, apache times out after a certain period. but im not sure if this is really set in apache or in php. i searched /etc/httpd/conf/httpd.conf and /etc/php.ini but i could not find any settings with sessions.. the closest i could find was this:
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off
thanks in advance
onux Wed Dec 08, 2010
Two different timeouts being discussed here. Session timeout is the php session that andrew and others mention above. TCP etc is a connection timeout.
The hijacking I think would refer to session hijacking where someone grabs your php session token, which is being used for authentication, over an unencrypted connection. Although TCP/IP injection attacks are possible, not sure this is what was being asked.
The hijacking I think would refer to session hijacking where someone grabs your php session token, which is being used for authentication, over an unencrypted connection. Although TCP/IP injection attacks are possible, not sure this is what was being asked.
Aaron Sun May 02, 2010
/etc/httpd/conf/extra/htt 2.2/conf/extra/httpd-defa
Andrew Sun Feb 14, 2010
The timeout you're referring to is in PHP.ini
Monty Tue Jan 13, 2009
i think the config change your after is session.gc_maxlifetime in the php.ini. this setting will remove the session when the timeout is hit.
therefore if a client remains idle for too long their session will be cleaned on the server. when they attempt access the server after the cleanup they will (if coded correctly) be unable to continue, typically then taken back to the login screen.
therefore if a client remains idle for too long their session will be cleaned on the server. when they attempt access the server after the cleanup they will (if coded correctly) be unable to continue, typically then taken back to the login screen.
hostman Mon Sep 08, 2008
you can also use unique session cookies with ssl encryption
safe Mon Sep 08, 2008
an attacker can hijack a web browser session more easily if the web server is not configured properly for session time-outs. for this reason, web applications and server are usually configured to time out after a specific period of inactivity. this is called TCP/IP highjacking
if the web server time-out settins is too long, the attacker obtains enought time to use a compromised cookie or guess a session ID to hijack the session
attackers can use TCP/IP hijacking to attack clear-text connetions, such as telnet. attackers can hijack a telnet session by suing a man-in-the-middle attack.
for this, attackers monitor a telnet session and intercept data being transferred from a client to a server. attackers can use the intercepted information to take control of the session for transferring forge data packets.
the questions is how can you prevent TCP/IP hijacking?
you can require a user to reauthenticate before transfering sensitive information this reduces the risk of an attacker taking control of a user session.
if the web server time-out settins is too long, the attacker obtains enought time to use a compromised cookie or guess a session ID to hijack the session
attackers can use TCP/IP hijacking to attack clear-text connetions, such as telnet. attackers can hijack a telnet session by suing a man-in-the-middle attack.
for this, attackers monitor a telnet session and intercept data being transferred from a client to a server. attackers can use the intercepted information to take control of the session for transferring forge data packets.
the questions is how can you prevent TCP/IP hijacking?
you can require a user to reauthenticate before transfering sensitive information this reduces the risk of an attacker taking control of a user session.
hostman Mon Sep 08, 2008
i think TCP timeouts overule apache timeouts,, if you are trying to make your web server more secured, make sure to you confirm you TCP settings also
Related Content
Information
Forums »
Linux Forums And Topics Discussions For Wallpaper Websites Running On Linux Servers »
How To Change Session Time Out In Apache?
Linux Forums And Topics Discussions For Wallpaper Websites Running On Linux Servers »
How To Change Session Time Out In Apache?
Title: How To Change Session Time Out In Apache?
Description: How To Change Session Time Out In Apache?
Tags: how ,to ,change ,session ,time ,out ,in ,apache
Info: This Post Has Been Viewed 0 Times Since
Date: Mon Sep 08, 2008
Author brian jolset Received 7 Replies #3012
Date: Mon Sep 08, 2008
Author brian jolset Received 7 Replies #3012
Share
URL: 
Embed:
To embed this topic, just copy the code from the "Embed" box. Once you've copied the code, just paste it into your website or blog to embed it
BBCODE::
BBCODE is use on forums. You can put this code on all your BBCODE enabled forums like PhpBB, vBulletin® and others. Just Copy and Paste this code on your Posts and Replies on your forums
wallpaperama | Wallpapers | Forums | Terms Of Service
copyright © 2013 wallpaperama - All Rights Reserved - Last Updated Mon May 06, 2013 (-8 GMT)
Powered by: Webune Forums V5
copyright © 2013 wallpaperama - All Rights Reserved - Last Updated Mon May 06, 2013 (-8 GMT)
Powered by: Webune Forums V5