Hosting Provided By

RE: HTTP authentication and session timeout

From: Dawes, Rogan (ZA - Johannesburg) <rdawes(at)deloitte.co.za>
Date: Mon Nov 25 2002 - 09:57:47 EST

Only real way to do this is to use a different URL (thus maintaining state) for each session, and use that url as the realm.

Then, if the realm (==url) changes, the browser will "forget" about the credentials, and prompt the user to reenter them.

MS has a kluge where they do this in outlook webmail, but it is highly browser dependent. IE prompts to be reauthenticated, but Mozilla and Konqueror don't, for example.

Rogan

> -----Original Message-----
> From: UDP 53 [mailto:udp53@hotmail.com]
> Sent: 25 November 2002 01:13
> To: webappsec@securityfocus.com
> Subject: HTTP authentication and session timeout
>
>
> I am looking at a web app which uses HTTP authentication
Received on Mon Nov 25 10:20:14 2002

This message: [ Message body ]
Next message: Jeff Dafoe: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
Previous message: Bob Lee: "Re: Hijacking URL Encoded Session IDs using Referer Logs"
In reply to UDP 53: "HTTP authentication and session timeout"
Next in thread: Craig Skelton: "Re: HTTP authentication and session timeout"
Reply: Craig Skelton: "Re: HTTP authentication and session timeout"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT