|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: HTTP authentication and session timeout
Date: Mon Nov 25 2002 - 14:53:26 EST
http://www.ietf.org/rfc/rfc2617.txt
The server doesn't send the authentication credentials to the client, it's the other way around.
Closing all browser windows and restarting the browser is the only way to clear the Basic Authentication cached credentials on the client unless Internet Explorer is used and a custom ActiveX Control is built per
Q195192 HOWTO: Clear Logon Credentials to Force Reauthentication http://support.microsoft.com/default.aspx?scid=KB;en-us;195192&
Browser programmers are not told clearly in RFC 2617 whether the Realm should have anything at all to do with determining the equivalence of one password-protected resource with another, and FQDN is therefore used instead by all browsers while Realm is merely eye candy for the end-user.
Sincerely,
Jason Coombs
jasonc@science.org
-----Original Message-----
From: Craig Skelton [mailto:craig@craigskelton.com]
Sent: Monday, November 25, 2002 5:28 AM
To: webappsec@securityfocus.com; 'UDP 53'
Subject: Re: HTTP authentication and session timeout
The auth string is initially sent to the browser from the server as a base64 encoded pair. From the server side, you can override the current auth string by simply sending a new one. Send a blank string or a string with invalid data, and you have effectively logged out the user...
One has to point out that this inherently means the connection must be statefull in some way, since you must know when and who to timeout.Therefore, I wonder why you would really want to stick with basic http auth? Received on Mon Nov 25 18:39:14 2002
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:44 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |