From nd@perlig.de  Wed Dec 11 22:18:02 2002
Return-Path: <nd@perlig.de>
Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm
Delivered-To: mailing list docs@httpd.apache.org
Received: (qmail 44760 invoked from network); 11 Dec 2002 22:18:02 -0000
Received: from unknown (HELO pizza-033.intraserver.de) (213.139.76.68)
  by daedalus.apache.org with SMTP; 11 Dec 2002 22:18:02 -0000
Received: (qmail 27726 invoked from network); 11 Dec 2002 22:18:02 -0000
Received: from p3e9d02ef.dip0.t-ipconnect.de (HELO files) (62.157.2.239)
  by yetkin.de with SMTP; 11 Dec 2002 22:18:02 -0000
From: =?ISO-8859-1?Q?Andr=E9?= Malo <nd@perlig.de>
Subject: Re: Docs correction? re Auth
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Organization: TIMTOWTDI
References: <Pine.LNX.4.33.0212111641550.15227-100000@rhiannon.rcbowen.com>
Date: Wed, 11 Dec 2002 23:09:48 +0100
To: docs@httpd.apache.org
Message-ID: <n2m-g.x46qahqafeyxndparker@news.perlig.de>
User-Agent: Yes!
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

* Rich Bowen wrote:

> The following is a conversation that I've been having with someone about
> the authentication tutorial. To summarize, he says that the thing about
> it being impossible to log out, is nonsense. He claims that the
> following method works.
>=20
> You create a link to <bogus:bogus@hostname.com/logout.html> or somesuch,
> and that this effectively resets the password cache on the browser.
>=20
> I guess I'm not entirely sure what he means, as I'm unable to reproduce
> his findings. Anyone got any thoughts on this?

He means: let the browser send wrong credentials, so that the server will=
=20
respond a 401. Many (most?) browsers will forget the password for the=20
current realm then.
That's true.
The problem is: Such an URL is illegal. It's explicitely forbidden by RFC=
=20
1738 and RFC 2616. As a result of this, the trick may or may not work.

Most browsers convert such URLs into the appropriate HTTP headers, but not=
=20
all and not every time. For example, Netscape Navigator 4 sends the=20
original URL without converting if there's a proxy configured (in the=20
browser).

(Actually I had a proxy for a while that could not recognize such URLs and=
=20
therefore such requests never reached the server...)

Alternatively one could the server let respond a 401 itself, for instance=
=20
using a CGI script or a special prepared URL. But the same problem appears:=
=20
The client has to forget the credentials and that's not in the server's=20
sphere of influence.

nd
--=20
print "Just Another Perl Hacker";

# Andr=E9 Malo, <http://www.perlig.de/> #