WebApp Sec mailing list archives
RE: HTTP authentication and session timeout
From: "Jason Coombs" <jasonc () science org>
Date: Mon, 25 Nov 2002 09:53:26 -1000
Re-read RFC 2617 http://www.ietf.org/rfc/rfc2617.txt The server doesn't send the authentication credentials to the client, it's the other way around. Closing all browser windows and restarting the browser is the only way to clear the Basic Authentication cached credentials on the client unless Internet Explorer is used and a custom ActiveX Control is built per Q195192 HOWTO: Clear Logon Credentials to Force Reauthentication http://support.microsoft.com/default.aspx?scid=KB;en-us;195192& Browser programmers are not told clearly in RFC 2617 whether the Realm should have anything at all to do with determining the equivalence of one password-protected resource with another, and FQDN is therefore used instead by all browsers while Realm is merely eye candy for the end-user. Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: Craig Skelton [mailto:craig () craigskelton com] Sent: Monday, November 25, 2002 5:28 AM To: webappsec () securityfocus com; 'UDP 53' Subject: Re: HTTP authentication and session timeout The auth string is initially sent to the browser from the server as a base64 encoded pair. From the server side, you can override the current auth string by simply sending a new one. Send a blank string or a string with invalid data, and you have effectively logged out the user... One has to point out that this inherently means the connection must be statefull in some way, since you must know when and who to timeout.Therefore, I wonder why you would really want to stick with basic http auth?
Current thread:
- HTTP authentication and session timeout UDP 53 (Nov 25)
- <Possible follow-ups>
- RE: HTTP authentication and session timeout Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)
- RE: HTTP authentication and session timeout Jason Coombs (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 26)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)