Return-Path: <rbowen@rcbowen.com>
Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm
Delivered-To: mailing list docs@httpd.apache.org
Received: (qmail 18011 invoked from network); 11 Dec 2002 21:45:55 -0000
Received: from 198-93-112-61.xdsl.qx.net (HELO rhiannon.rcbowen.com)
 (198.93.112.61)
  by daedalus.apache.org with SMTP; 11 Dec 2002 21:45:55 -0000
Received: from localhost (localhost [127.0.0.1])
	by rhiannon.rcbowen.com (8.10.2/8.9.3) with ESMTP id gBBLjsW15287
	for <docs@httpd.apache.org>; Wed, 11 Dec 2002 16:45:54 -0500
Date: Wed, 11 Dec 2002 16:45:54 -0500 (EST)
From: Rich Bowen <rbowen@rcbowen.com>
To: Apache Documentation Project <docs@httpd.apache.org>
Subject: Docs correction? re Auth
Message-ID: <Pine.LNX.4.33.0212111641550.15227-100000@rhiannon.rcbowen.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

The following is a conversation that I've been having with someone about
the authentication tutorial. To summarize, he says that the thing about
it being impossible to log out, is nonsense. He claims that the
following method works.

You create a link to <bogus:bogus@hostname.com/logout.html> or somesuch,
and that this effectively resets the password cache on the browser.

I guess I'm not entirely sure what he means, as I'm unable to reproduce
his findings. Anyone got any thoughts on this?

-- 
Rich Bowen - rbowen@rcbowen.com
As we trace our own few circles around the sun
We get it backwards and our seven years go by like one
	Dog Years (Rush - Test for Echo - 1999)

---------- Forwarded message ----------
Date: Tue, 10 Dec 2002 17:13:40 -0600
From: Ron Rockwell <ron@rrockwell.com>
To: Rich Bowen <rbowen@rcbowen.com>
Subject: Re: simply incorrect information in docs

Rich,

    I have never gotten the intermediate pop-window because the 403 is not
served
from the server in this example.... the crucial piece there is that the URL
that you
send them to with the false username:password is NOT protected by any
security,
its just an open page.  In the HTTP conversation, the client asks for the
page and
authenticates itself, but the server ignores the extraneous information and
returns
a 200 response.   I have tested this with all browsers, but not all servers
or versions
of servers... that remains to be seen....

  Up to you about documenting it, but the way it is documented now leaves
the reader
with little hope that a solution can be found... in fact... that NO hope
exists, that the
experts have all tried all of the various things.. etc. etc.   Documentation
has that
power of "all the experts" behind it.  So, maybe you should put it down as a
work-around,
so that people have some hope...  just my 2 cents..

Happy frags,

Ron Rockwell
ron@rrockwell.com

----- Original Message -----
From: "Rich Bowen" <rbowen@rcbowen.com>
To: "Ron Rockwell" <ron@rrockwell.com>
Sent: Tuesday, December 10, 2002 5:34 AM
Subject: Re: simply incorrect information in docs


> On Mon, 9 Dec 2002, Ron Rockwell wrote:
>
> > What I use instead is a false username:password pair to a known address
> > within the domain which does not have security placed on the url.
>
> When I have used this technique in the past, the result is that the
> server resends the 403 unauthorized header, and you get another password
> dialog, since the username:password pair were invalid. So, yes, you have
> invalidated the previous login, but you must now press cancel on a
> password dialog. This always struck me as a non-solution, since you end
> up getting this confusing intermediate dialog box. However, I'll
> experiment some more with it, and mention it in the doc if you like.
>