httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jaweed ali <jaweed_...@hotmail.com>
Subject RE: [users@httpd] Is there any way that allows user to logout while using basic apache webserver authentication ?
Date Tue, 02 Sep 2008 23:07:49 GMT

Thanks for reply
Yes i am  using the "AuthType Basic" Apache directive  with in <Locatgion /directory>
tage 
 And i am niether setting cookie not using javascripting for user id and password. 
 
In Basic Authentication When a request is made to a URI, the web server returns a HTTP 401
unauthorized status code to the client: 
HTTP/1.1 401 Authorization Required This tells the client to supply a username and password.
Included in the 401 status code is the authentication header. The client requests the username
and password from the user, typically in a dialog box. The client browser concatenates the
username and password using a ":" separator and base 64 encodes the string. A second request
is then made for the same resource including the encoded username password string in the authorization
headers. 
 
I hope this wil give you an idea what i am trying to do
 
Right now the problem is that i could not find any mechanism available to the server to cause
the browser to 'logout'; that is, to discard its stored credentials for the user. 
 
Thanks > Date: Tue, 2 Sep 2008 17:21:41 -0500> From: justinp@newmediagateway.com>
To: users@httpd.apache.org> Subject: Re: [users@httpd] Is there any way that allows user
to logout while using basic apache webserver authentication ?> > jaweed ali wrote:>
> Hi> > I have apache with basic authentication setup with LDAP for users > >
credential. apache allow me to login on server but once a user login > > to the webapplication
and then even close the browser, the browser > > still have Authentication Session safe.
And next time if you just > > visit same site the browser itself passes the uid/pssword
to login the > > website. which is really a security issue so any one can access site
> > from the PC.> > I also performed the senario such as> > 1: I setup my
site as www.mysite.com/site > > <http://www.mysite.com/site> and setup user1/passwd
as uid password > > to access it> > 2: on the othere hand I setup other directory
say > > www.mysite.com/logout <http://www.mysite.com/logout> and configured to
> > autenticate logout/logout as userid password> > > > if i access www.mysite.com/site
<http://www.mysite.com/site> by > > passing user1/pwsswd it successfully loging>
> after that i access www.mysite.com/logout > > <http://www.mysite.com/logout>
with logout/logout successfullu but > > the problem is that> > if i just access
www.mysite.com/site <http://www.mysite.com/site> it > > just allow me to loging
witout asking user id password> > > > so this way also doesnot provide a way to
secure the site> > > > Is there any way that i can follow to secure my site or
there is no > > way to secure site with apache when using basic authentication> >
> > Thanks> > Are you using the "AuthType Basic" Apache directive or are you >
authentication the user via another means (such as a script that prompts > for the username
and password, then save it in a cookie)?> > If it is the former, then their is no standard
way to allow the user to > "logout". Some browsers (i.e. Firefox) have plug-ins available
that will > allow you to clear the HTTP authentication information, but they do not >
come with the browser. When you close the browser, it automatically > clears this authentication
information. Are you SURE that you closed ALL > browser windows?> > If it is the
latter (which actually sounds more likely, since you say > the user is going to www.mysite.com/logout),
then your code is probably > setting a cookie with an expiration date in the future. The
logout page > is not properly clearing that cookie, so when you reopen the browse, the
> cookie is found and the user is automatically logged in. You would need > to adjust
your code so that it creates a cookie that is only active for > the current session.>
> Justin Pasher> > --------------------------------------------------------------------->
The official User-To-User support forum of the Apache HTTP Server Project.> See <URL:http://httpd.apache.org/userslist.html>
for more info.> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> " from the
digest: users-digest-unsubscribe@httpd.apache.org> For additional commands, e-mail: users-help@httpd.apache.org>

_________________________________________________________________
Get ideas on sharing photos from people like you.  Find new ways to share.
http://www.windowslive.com/explore/photogallery/posts?ocid=TXT_TAGLM_WL_Photo_Gallery_082008
Mime
View raw message