Lutz, Re: > I'm not really understand your problem. What do you mean with "the browser > still persists with the username and password"? Does it mean that you > send > these credentials with every request to the web server? > What we do is this: > If the browser makes a request without a cookie or with wrong cookie, the > server sends a http 401 response and the user gets a login dialog, after > checking the credentials on the server side the server sends a cookie. All > subsequent requests will carry the cookie, the browser does this for you. > And the server checks at every request if the cookie is valid. > If the user press the logout button the server sends a cookie as a response > with a cookie expiration of 0 or an expiration date in the past. > The built in 4D sessions work the same way AFAIK.
In our case we land the user at a login page which handles the httpAuth send avoiding the nasty dialog. If the user is not authenticated they do not get in. No problem there. If the user is authenticated then they are taken to the application (written in Angular) At some point they will click the logout button/link and this would cause the session to close (WEB CLOSE SESSION) and they are redirected to the login page. If they then typed in the index of the application index.shtml file the browser was still passing in the old username and password so the client was getting through the On Web Authentication and was issued with a new session ID and could use the system as before the logout. What I have done today is when the logout happens I now place a call using JS from the logout page with invalid (null) credentials which causes the username and password to be cleared. Having carried out significant testing we have not been able to get back in to an application page following a log out using this method. Regards, Dougie ________________________________________________________ telekinetix Limited- J. Douglas Cryer Phone : 01234 761759 Mobile : 07973 675 218 2nd Floor Broadway House, 4-6 The Broadway, Bedford MK40 2TE Email : jdcr...@telekinetix.com Web : http://www.telekinetix.com <http://www.telekinetix.com/> ________________________________________________________ On 01/03/2019, 15:56, "4d_tech-boun...@lists.4d.com on behalf of 4d_tech-requ...@lists.4d.com" <4d_tech-boun...@lists.4d.com on behalf of 4d_tech-requ...@lists.4d.com> wrote: I'm not really understand your problem. What do you mean with "the browser still persists with the username and password"? Does it mean that you send these credentials with every request to the web server? What we do is this: If the browser makes a request without a cookie or with wrong cookie, the server sends a http 401 response and the user gets a login dialog, after checking the credentials on the server side the server sends a cookie. All subsequent requests will carry the cookie, the browser does this for you. And the server checks at every request if the cookie is valid. If the user press the logout button the server sends a cookie as a response with a cookie expiration of 0 or an expiration date in the past. The built in 4D sessions work the same way AFAIK. ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************