WebApp Sec mailing list archives
Re: HTTP authentication and session timeout
From: "Craig Skelton" <craig () craigskelton com>
Date: Mon, 25 Nov 2002 07:28:05 -0800
The auth string is initially sent to the browser from the server as a base64 encoded pair. From the server side, you can override the current auth string by simply sending a new one. Send a blank string or a string with invalid data, and you have effectively logged out the user... One has to point out that this inherently means the connection must be statefull in some way, since you must know when and who to timeout.Therefore, I wonder why you would really want to stick with basic http auth?
Current thread:
- HTTP authentication and session timeout UDP 53 (Nov 25)
- <Possible follow-ups>
- RE: HTTP authentication and session timeout Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)
- RE: HTTP authentication and session timeout Jason Coombs (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 26)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)