You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Martinez Gonzalez, Francisco" <fm...@endesa.es> on 2004/09/01 09:09:48 UTC

RE: [users@httpd] LogOut

!!

I found a solution, but only works on =>IE 6.0 SP1

The site with the solution is:
http://weblogs.asp.net/kclemson/archive/2003/11/17/53911.aspx


:)



-----Mensaje original-----
De: Martinez Gonzalez, Francisco 
Enviado el: martes, 31 de agosto de 2004 16:08
Para: 'users@httpd.apache.org'
Asunto: RE: [users@httpd] LogOut



:(


Thanks to all



-----Mensaje original-----
De: Robert Andersson [mailto:robert@profundis.nu]
Enviado el: martes, 31 de agosto de 2004 12:14
Para: users@httpd.apache.org
Asunto: Re: [users@httpd] LogOut


Martinez Gonzalez, Francisco wrot:
> I have a web aplication with HTTP basic authentification (headers). If I
> want to login with another user, I have to close the browser and open
> again.
>
> Is there anyway to make a logout without close/open the browser?

Nope, because you haven't really logged on in the first place. Login/logout
is terms used with sessions; HTTP and its Basic Authentication are
stateless. What happens when you "login" is that you teach the browser your
credentials so it can send them with each future request without querying
you.

In order to use other credentials in the same realm, you must make the
browser forget the current ones. This is, of course, browser dependent. One
complicated way that will often work is to temporary remove the user from
the password file (or change the password) then have the browser make a
request, which will fail. That will usually cause it to prompt the user
again. A similar technique would be to change the realm name.

However, even if it is possible to mimic sessions with Basic Auth, it is not
what it was designed to do, so it will be dirty anyway you do it.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Este mensaje de correo electrónico y sus documentos adjuntos están dirigidos
EXCLUSIVAMENTE a los destinatarios especificados. La información contenida
puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente
refleja la opinión de ENDESA. Si usted recibe este mensaje por ERROR, por
favor comuníqueselo inmediatamente al remitente y  ELIMÍNELO ya que usted
NO ESTA AUTORIZADO al uso, revelación, distribución, impresión o copia de
toda o alguna parte de la información contenida. Gracias. 

This e-mail message and any attached files are intended SOLELY for the
addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY
PRIVILEGED  information and may not necessarily represent the opinion of
ENDESA. If you receive this message in ERROR, please immediately notify the
sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose,
distribute, print or copy all or part of the contained information. Thank
you.  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Este mensaje de correo electrónico y sus documentos adjuntos están dirigidos
EXCLUSIVAMENTE a los destinatarios especificados. La información contenida
puede ser CONFIDENCIAL y/o estar LEGALMENTE PROTEGIDA y no necesariamente
refleja la opinión de ENDESA. Si usted recibe este mensaje por ERROR, por
favor comuníqueselo inmediatamente al remitente y  ELIMÍNELO ya que usted
NO ESTA AUTORIZADO al uso, revelación, distribución, impresión o copia de
toda o alguna parte de la información contenida. Gracias. 

This e-mail message and any attached files are intended SOLELY for the
addressee/s identified herein. It may contain CONFIDENTIAL and/or LEGALLY
PRIVILEGED  information and may not necessarily represent the opinion of
ENDESA. If you receive this message in ERROR, please immediately notify the
sender and DELETE it since you ARE NOT AUTHORIZED  to use, disclose,
distribute, print or copy all or part of the contained information. Thank
you.  

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] LogOut

Posted by Laura Vance <va...@winfreeacademy.com>.
Hello,

If it only works on IE, then I would have to say that it's very likely 
not a standards-complient method.  When things don't follow standards, 
the vendor has no obligation to continue including them.  Even the 
article says that the users had to "convince" the IE team to do it.  
This tells me that the IE team could reconsider and remove it if they 
feel so inclined, then you're stuck with a specific version of IE and 
nothing else will work.

I agree with everyone who said that using a session cookie is best, 
because you can overwrite a cookie with blank values just as quickly as 
you can write a data-filled cookie to the browser.  And it's not there 
until the user wants it to be there by logging in. 

One of the solutions mentioned on that site (Windows Integrated 
Authentication) was that the browser could log itself into the 
application if it's inside your network without username/password.  
Maybe I'm paranoid, but I don't want one level of security to override 
the other levels of security. (ex. criminal gets physical access to a 
machine and then doesn't have to worry about authentication)  I want the 
electronic security model to be used no matter what other security a 
person is trying to bypass.  Granted, eventually someone could get into 
the systems if they wanted to, but I prefer not to help them. ;)

Anyway, these are just my thoughts, and in no way does it mean you have 
to abandon what you've done, but it's just something else to consider. :)


Martinez Gonzalez, Francisco wrote:

>!!
>
>I found a solution, but only works on =>IE 6.0 SP1
>
>The site with the solution is:
>http://weblogs.asp.net/kclemson/archive/2003/11/17/53911.aspx
>
>
>:)
>  
>
-- 
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org