httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Docs correction? re Auth
Date Wed, 11 Dec 2002 21:45:54 GMT
The following is a conversation that I've been having with someone about
the authentication tutorial. To summarize, he says that the thing about
it being impossible to log out, is nonsense. He claims that the
following method works.

You create a link to <bogus:bogus@hostname.com/logout.html> or somesuch,
and that this effectively resets the password cache on the browser.

I guess I'm not entirely sure what he means, as I'm unable to reproduce
his findings. Anyone got any thoughts on this?

-- 
Rich Bowen - rbowen@rcbowen.com
As we trace our own few circles around the sun
We get it backwards and our seven years go by like one
	Dog Years (Rush - Test for Echo - 1999)

---------- Forwarded message ----------
Date: Tue, 10 Dec 2002 17:13:40 -0600
From: Ron Rockwell <ron@rrockwell.com>
To: Rich Bowen <rbowen@rcbowen.com>
Subject: Re: simply incorrect information in docs

Rich,

    I have never gotten the intermediate pop-window because the 403 is not
served
from the server in this example.... the crucial piece there is that the URL
that you
send them to with the false username:password is NOT protected by any
security,
its just an open page.  In the HTTP conversation, the client asks for the
page and
authenticates itself, but the server ignores the extraneous information and
returns
a 200 response.   I have tested this with all browsers, but not all servers
or versions
of servers... that remains to be seen....

  Up to you about documenting it, but the way it is documented now leaves
the reader
with little hope that a solution can be found... in fact... that NO hope
exists, that the
experts have all tried all of the various things.. etc. etc.   Documentation
has that
power of "all the experts" behind it.  So, maybe you should put it down as a
work-around,
so that people have some hope...  just my 2 cents..

Happy frags,

Ron Rockwell
ron@rrockwell.com

----- Original Message -----
From: "Rich Bowen" <rbowen@rcbowen.com>
To: "Ron Rockwell" <ron@rrockwell.com>
Sent: Tuesday, December 10, 2002 5:34 AM
Subject: Re: simply incorrect information in docs


> On Mon, 9 Dec 2002, Ron Rockwell wrote:
>
> > What I use instead is a false username:password pair to a known address
> > within the domain which does not have security placed on the url.
>
> When I have used this technique in the past, the result is that the
> server resends the 403 unauthorized header, and you get another password
> dialog, since the username:password pair were invalid. So, yes, you have
> invalidated the previous login, but you must now press cancel on a
> password dialog. This always struck me as a non-solution, since you end
> up getting this confusing intermediate dialog box. However, I'll
> experiment some more with it, and mention it in the doc if you like.
>


Mime
View raw message