httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Bowen <rbo...@rcbowen.com>
Subject Re: Docs correction? re Auth
Date Sun, 22 Dec 2002 14:07:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 11 Dec 2002, Rich Bowen wrote:

> The following is a conversation that I've been having with someone about
> the authentication tutorial. To summarize, he says that the thing about
> it being impossible to log out, is nonsense. He claims that the
> following method works.
>
> You create a link to <bogus:bogus@hostname.com/logout.html> or somesuch,
> and that this effectively resets the password cache on the browser.
>
> I guess I'm not entirely sure what he means, as I'm unable to reproduce
> his findings. Anyone got any thoughts on this?

Got thinking about this this morning, and tried the following, which
almost works:

<Directory /www/docs/private>
    AuthType Basic
    AuthName "Go Away"
    AuthUserFile /www/passwd/passwords
    Require user rbowen
</Directory>

<Directory /www/docs>
    <Files logout.html>
        AuthType Basic
        AuthName "Go Away"
        AuthUserFile /www/passwd/passwords
        Require user no-auth
    <Files>
</Directory>

/www/passwd/passwords contains a user "no-auth" with password "none".

Here's the strange part. Clicking a link to
http://no-auth:none@hostname/logout.html will, on Mozilla (1.1a) and
Netscape (4.72), cause the browser to make a request using the cached
information for the auth'ed user rbowen:

[Sun Dec 22 09:01:42 2002] [error] [client 127.0.0.1] access to
/logout.html failed, reason: user rbowen not allowed access

However, typing that URL into the URL bar (or highlighting the URL bar,
and then pressing enter) will cause the browser to auth as user
"no-auth" for that resource, which effectively logs the user out of the
other area. Sort of. So it seems that these browsers, at least, ignore
username/password information contained in a link, but trust it if they
think that you have typed it into the URL line.

I'm not planning to spend any more time on this, but I thought you might
be interested in what I had discovered.

Rich
- -- 
Oh I have slipped the surly bonds of earth
And danced the sky on laughter-silvered wings
 --High Flight (John Gillespie Magee)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Made with pgp4pine 1.75-6

iD8DBQE+Bcc1XP03+sx4yJMRAiaUAKDpAclKBfh/fjd1tIdcLGx62HYhoACgynKu
EOTaGlAVS0BDp7Ig9Ze1NsU=
=ZaKY
-----END PGP SIGNATURE-----



Mime
View raw message