WebApp Sec mailing list archives
Re: HTTP authentication and session timeout
From: "Craig Skelton" <craig () craigskelton com>
Date: Mon, 25 Nov 2002 17:09:09 -0800
Hmm. Perhaps I wasn't clear. You are correct, the browser sends the auth string. That's what I get for sending email prior to the first cup of coffee. In perl (CGI), try this: #!/usr/local/bin/perl $url = "http://loggedout:blank () the current url"; print "Location: $url \n\n"; or in php try this: <?php header( 'Location: http://loggedout:blank () the current url' ); ?> or in asp try this: <% Response.Redirect "http://loggedout:blank () the current url" %> ----- Original Message ----- From: "Jason Coombs" <jasonc () science org> To: "Craig Skelton" <craig () craigskelton com>; <webappsec () securityfocus com>; "'UDP 53'" <udp53 () hotmail com> Sent: Monday, November 25, 2002 11:53 AM Subject: RE: HTTP authentication and session timeout
Re-read RFC 2617 http://www.ietf.org/rfc/rfc2617.txt The server doesn't send the authentication credentials to the client, it's the other way around. Closing all browser windows and restarting the browser is the only way to clear the Basic Authentication cached credentials on the client unless Internet Explorer is used and a custom ActiveX Control is built per Q195192 HOWTO: Clear Logon Credentials to Force Reauthentication http://support.microsoft.com/default.aspx?scid=KB;en-us;195192&; Browser programmers are not told clearly in RFC 2617 whether the Realm should have anything at all to do with determining the equivalence of one password-protected resource with another, and FQDN is therefore used
instead
by all browsers while Realm is merely eye candy for the end-user. Sincerely, Jason Coombs jasonc () science org -----Original Message----- From: Craig Skelton [mailto:craig () craigskelton com] Sent: Monday, November 25, 2002 5:28 AM To: webappsec () securityfocus com; 'UDP 53' Subject: Re: HTTP authentication and session timeout The auth string is initially sent to the browser from the server as a
base64
encoded pair. From the server side, you can override the current auth string by simply sending a new one. Send a blank string or a string with invalid data, and you have effectively logged out the user... One has to point out that this inherently means the connection must be statefull in some way, since you must know when and who to timeout.Therefore, I wonder why you would really want to stick with basic http auth?
Current thread:
- HTTP authentication and session timeout UDP 53 (Nov 25)
- <Possible follow-ups>
- RE: HTTP authentication and session timeout Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)
- RE: HTTP authentication and session timeout Jason Coombs (Nov 25)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 26)
- Re: HTTP authentication and session timeout Craig Skelton (Nov 25)