RE: HTTP authentication and session timeout

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Only real way to do this is to use a different URL (thus maintaining state)
for each session, and use that url as the realm.

Then, if the realm (==url) changes, the browser will "forget" about the
credentials, and prompt the user to reenter them.

MS has a kluge where they do this in outlook webmail, but it is highly
browser dependent. IE prompts to be reauthenticated, but Mozilla and
Konqueror don't, for example.

Rogan

> -----Original Message-----
> From: UDP 53 [mailto:udp53 () hotmail com]
> Sent: 25 November 2002 01:13
> To: webappsec () securityfocus com
> Subject: HTTP authentication and session timeout
>
>
> I am looking at a web app which uses HTTP authentication 
> (over SSL) for user
> login. No mechanism is employed for session state management, 
> and the app
> relies upon the default browser behaviour (of resending the encoded
> authentication string with each subsequent request) in order 
> to re-identify
> the user through their session. No form of timeout is enforced by the
> server.
>
> Does anyone know if it is possible to enforce any kind of server-side
> timeout in this set-up? I.e., is there a way for the server 
> to instruct the
> browser to destroy the cached login credentials, so that the user must
> reauthenticate?
>
>
> UDP53
> =====