olavmrk
commented
6 years ago Unfortunately I don't see any way that mod_auth_mellon can help here. As far as I can tell, once the request has been processed and the websocket connection started, there is no way hook in any code in a sensible way. There is no "is connection still authenticated" hook.
(It is not so different from POST/GET requests; a request started before the session is terminated but where the data upload is not finished can linger past the session termination. I.e. authentication is checked when the request headers are received, not when data upload is completed.)
Hello, I am using mellon to protect a location that works as a reverse proxy for regular http requests as long as for websockets with configuration like:
RewriteCond %{HTTP:Upgrade} =Websocket RewriteRule /(.*) ws://servername ProxyPass / http://servername ProxyPassReverse / http://servername
The issue is that the websocket connections are not interrupted anyhow after the mellon session expires (MellonSessionLength). This is different to regular POST/GET requests that will require new mellon session be established once MellonSessionLength timeout is exceeded.