jacp1
commented
8 years ago Further to this, it seems that access to the unauthorised directory is allowed if the user switches from accessing a directory for which they have been authorised to another (which they should not be allowed to see) within the KeepAlive timeout period. In other words it appears that once a TCP connection has been authorised to access one directory it is treated as being authorised to access all directories. In reality, although the connection can be treated as still being authenticated, the authorisation should be rechecked with each request.
I have two parallel directories configured with access control (config below). In a web browser (IE11) as user 'aaa' I try to access a text file in testgroups2. I correctly get a 403 error. I then access a text file in directory testgroups, and correctly receive this. If I then rapidly hit the back button on the browser I can access the previously denied text file in testgroups2.
<Directory "/var/www/html/testgroups"> AuthType NTLM AuthName XXX.COM require user aaa, bbb require valid-user PythonAuthenHandler pyntlm PythonOption Domain XXXX.COM PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com </Directory>
<Directory "/var/www/html/testgroups2"> AuthType NTLM AuthName XXX.COM require user ccc require valid-user PythonAuthenHandler pyntlm PythonOption Domain XXXX.COM PythonOption PDC ldap://xxx-dc-01/DC=xxx,DC=com PythonOption BDC ldap://xxx-dc-02/DC=xxx,DC=com </Directory>