httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Malo ...@perlig.de>
Subject Re: Docs correction? re Auth
Date Wed, 11 Dec 2002 22:09:48 GMT
* Rich Bowen wrote:

> The following is a conversation that I've been having with someone about
> the authentication tutorial. To summarize, he says that the thing about
> it being impossible to log out, is nonsense. He claims that the
> following method works.
> 
> You create a link to <bogus:bogus@hostname.com/logout.html> or somesuch,
> and that this effectively resets the password cache on the browser.
> 
> I guess I'm not entirely sure what he means, as I'm unable to reproduce
> his findings. Anyone got any thoughts on this?

He means: let the browser send wrong credentials, so that the server will 
respond a 401. Many (most?) browsers will forget the password for the 
current realm then.
That's true.
The problem is: Such an URL is illegal. It's explicitely forbidden by RFC 
1738 and RFC 2616. As a result of this, the trick may or may not work.

Most browsers convert such URLs into the appropriate HTTP headers, but not 
all and not every time. For example, Netscape Navigator 4 sends the 
original URL without converting if there's a proxy configured (in the 
browser).

(Actually I had a proxy for a while that could not recognize such URLs and 
therefore such requests never reached the server...)

Alternatively one could the server let respond a 401 itself, for instance 
using a CGI script or a special prepared URL. But the same problem appears: 
The client has to forget the credentials and that's not in the server's 
sphere of influence.

nd
-- 
print "Just Another Perl Hacker";

# André Malo, <http://www.perlig.de/> #

Mime
View raw message