Lutz,
Re:
> I'm not really understand your problem. What do you mean with "the browser
> still persists with the username and password"? Does it mean that you > send
> these credentials with every request to the web server?
> What we do is this:
> If the browser makes a request without a cookie or with wrong cookie, the
> server sends a http 401 response and the user gets a login dialog, after
> checking the credentials on the server side the server sends a cookie. All
> subsequent requests will carry the cookie, the browser does this for you.
> And the server checks at every request if the cookie is valid.
> If the user press the logout button the server sends a cookie as a response
> with a cookie expiration of 0 or an expiration date in the past.
> The built in 4D sessions work the same way AFAIK.
In our case we land the user at a login page which handles the httpAuth send
avoiding the nasty dialog.
If the user is not authenticated they do not get in. No problem there.
If the user is authenticated then they are taken to the application (written in
Angular)
At some point they will click the logout button/link and this would cause the
session to close (WEB CLOSE SESSION) and they are redirected to the login page.
If they then typed in the index of the application index.shtml file the browser
was still passing in the old username and password so the client was getting
through the On Web Authentication and was issued with a new session ID and
could use the system as before the logout.
What I have done today is when the logout happens I now place a call using JS
from the logout page with invalid (null) credentials which causes the username
and password to be cleared. Having carried out significant testing we have not
been able to get back in to an application page following a log out using this
method.
Regards, Dougie
________________________________________________________
telekinetix Limited- J. Douglas Cryer
Phone : 01234 761759 Mobile : 07973 675 218
2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE
Email : [email protected] Web : http://www.telekinetix.com
<http://www.telekinetix.com/>
________________________________________________________
On 01/03/2019, 15:56, "[email protected] on behalf of
[email protected]" <[email protected] on behalf of
[email protected]> wrote:
I'm not really understand your problem. What do you mean with "the browser
still persists with the username and password"? Does it mean that you send
these credentials with every request to the web server?
What we do is this:
If the browser makes a request without a cookie or with wrong cookie, the
server sends a http 401 response and the user gets a login dialog, after
checking the credentials on the server side the server sends a cookie. All
subsequent requests will carry the cookie, the browser does this for you. And
the server checks at every request if the cookie is valid.
If the user press the logout button the server sends a cookie as a response
with a cookie expiration of 0 or an expiration date in the past.
The built in 4D sessions work the same way AFAIK.
**********************************************************************
4D Internet Users Group (4D iNUG)
Archive: http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub: mailto:[email protected]
**********************************************************************
