Not sure if my problem is with my NTLM authentication or with the webserver_auth module, but here goes:

My config:

  • Apache 2 on CentOS
  • Using Apache2::AuthenNTLM as described here.
  • Fresh 4.7.5 Drupal install with webserver_auth module

What works:

  1. When a user attempts to loads a page, the apache server first prompts them for login credentials, authenticates them with the domain contoller, and attempts to serve the page.
  2. Then Drupal calls webserver_auth_init, and checks their webserver login status, sees they are logged in, and logs the user into drupal (registering a new user, if necessary)
  3. Each subsequent page load seems to call webserver_auth_init, and since the user is logged into drupal, the page is served.

My problem:

  1. Suppose that user #1 closes their browser, terminating the apache ntlm session.
  2. If user #2 opens the browser on that compter and goes to the drupal site, apache will prompt them for their userid & password, authenticate them with the domain contoller, and let drupal serve the page.
  3. But when drupal calls webserver_auth_init, it thinks that user #1 is still logged into drupal and allows user #2 to browse the site logged in as user #1

Do I need to do something to get drupal to retrieve the user info from apache for each page load?

Comments

skor’s picture

skor commented

In case anyone comes accross a similar problem, I found a solution here.

In sites/default/settings.php (or your sites config file if different)
replace

ini_set('session.cookie_lifetime', 2000000);

with
ini_set('session.cookie_lifetime', 0);

Thanks tclineks

skor’s picture

skor commented
Status: Active » Closed (fixed)