AuthDBI logoff

[Todd White <tm...@merit.edu>]

i'm seeking a means by which i can allow my web users to "logoff" after
authenticating for access to restricted web space.  i realize that users
can just close their browser, but i'm seeking a solution that allows the
browser to remain open.  essentially, i want a button that a user can
click that causes the web browser to drop the credentials for the realm.

i'm considering writing an Apache handler and returning an
Apache::Constants constant.  but i'm wondering if anyone would have other
suggestions.

btw, Apache 1.3 / mod_perl 1

Re: AuthDBI logoff

[Geoffrey Young <ge...@modperlcookbook.org>]

Todd White wrote:
> if there was a means by which i could strip out the Authorization header
> in the client request, this would force a 401 response from the server
> which would also satisfy my specific need.
> 
> is there a means by which i can manipulate an incoming request header from
> the client?

<Location /foo>
PerlInitHandler 'sub { shift->headers_out->unset("Authorization"); 0 }'
</Location>

or something similar - you get the idea :)

--Geoff

RE: AuthDBI logoff

[Frank Maas <fr...@cheiron-it.nl>]

Hi Todd,

Trying to logoff using Basic Auth is becoming something of a faq...

> if there was a means by which i could strip out the Authorization
> header in the client request, this would force a 401 response from
> the server which would also satisfy my specific need.

I doubt if this will work. I suspect you want to strip this out when
the user does his logout-request (ie. a request for .../logout.html).
If you do this, the browser should present a popup-box to the user,
which he most probably would cancel. However, most browsers seem to
recollect their authorisation information they used before. Thus, as
soon as the user gets to a page that requests a login, the browser
tries with the user credentials that were kept and a popup is never
shown.

As someone already suggested: use a Cookie based algorithem. The 
cookie gives you the opportunity to follow the status of the 
user and effectively log him out. Another approach I once saw was
the use of a dedicated realm for that user. In stead of using a fixed
realm (ie. security domain) the domain is on a per session basis.
You should still fix the session someway (using the uri or a cookie),
but you can still stick with the 'Basic Auth' mechanism.

Hope this helps.

--Frank

Re: AuthDBI logoff

[Todd White <tm...@merit.edu>]

if there was a means by which i could strip out the Authorization header
in the client request, this would force a 401 response from the server
which would also satisfy my specific need.

is there a means by which i can manipulate an incoming request header from
the client?



On Sat, 29 Mar 2003, Thomas Klausner wrote:

> Hi!
> 
> On Fri, Mar 28, 2003 at 02:27:29PM -0500, Todd White wrote:
> > i'm seeking a means by which i can allow my web users to "logoff" after
> > authenticating for access to restricted web space.  i realize that users
> > can just close their browser, but i'm seeking a solution that allows the
> > browser to remain open.  essentially, i want a button that a user can
> > click that causes the web browser to drop the credentials for the realm.
> 
> AFAIK, something like "logoff" is impossible with BASIC Auth (which AuthDBI
> uses).
> 
> Take a look at Apache::AuthCookie, which implements its own Authentication
> scheme and allows "logoff".
> 
> Or take a look at Recipie 13.7 in the mod_perl Developers Cookbook.
> 
> -- 
> #!/usr/bin/perl                               http://domm.zsi.at
> for(ref bless{},just'another'perl'hacker){s-:+-$"-g&&print$_.$/}
> 

Re: AuthDBI logoff

[Thomas Klausner <do...@zsi.at>]

Hi!

On Fri, Mar 28, 2003 at 02:27:29PM -0500, Todd White wrote:
> i'm seeking a means by which i can allow my web users to "logoff" after
> authenticating for access to restricted web space.  i realize that users
> can just close their browser, but i'm seeking a solution that allows the
> browser to remain open.  essentially, i want a button that a user can
> click that causes the web browser to drop the credentials for the realm.

AFAIK, something like "logoff" is impossible with BASIC Auth (which AuthDBI
uses).

Take a look at Apache::AuthCookie, which implements its own Authentication
scheme and allows "logoff".

Or take a look at Recipie 13.7 in the mod_perl Developers Cookbook.

-- 
#!/usr/bin/perl                               http://domm.zsi.at
for(ref bless{},just'another'perl'hacker){s-:+-$"-g&&print$_.$/}