Sounds as though you're saying that once a browser receives a 401
response, it will no longer send the previously used credentials. Now,
say the user "logs off", but fails to log in as someone else. Would the
browser send the original, valid credentials if the user goes back (in
the same browser session) to a URL where it had previously been
authorized?
Jim
-----Original Message-----
From: Howie Hamlin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Saturday, August 26, 2000 9:02 AM
Subject: Re: Basic Authentication: Logging off
>Once a browser has been authenticated to a site it will continue to
send the
>same credentials over and over (in the HTTP headers) until the web
server
>responds with a "401 Unauthorized" response. So, bearing that in mind,
you
>need to have the web server stop accepting the credentials and send a
401
>(either by the server itself or the 401 can come from a CGI or such).
For
>example:
>
>- User accesses restricted page
>- Server checks credentials
>- Server sends 401 response
>- Browser opens local login dialog
>- User enters credentials
>- Browser sends credentials with next HTTP request
>- Server sends back non-401 response
>- Browsers stores credentials and sends for each additional request
>
>The browser will send these login credentials for every subsequent HTTP
>request. Now, we want the user to log out. The click on a logout
button
>and some process on the server side cancels the login credentials.
>
>- Browser sends credentials with next HTTP request
>- Server sends back 401 response
>- Browsers erases credentials and opens local login dialog
>
>HTH,
>
>Howie Hamlin - inFusion Project Manager
>On-Line Data Solutions, Inc.
>www.CoolFusion.com
>631-737-4668 x101
>inFusion Mail Server (iMS) - the World's most configurable mail server
>
>
>----- Original Message -----
>From: "Helge Hetland" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Saturday, August 26, 2000 4:53 AM
>Subject: OT: Basic Authentication: Logging off
>
>
>> We have a large site using Basic Authentication to log on the users
to the
>> system.
>>
>> When the user is logged in we use the Remote_User variable to
authenticate
>> the user to our DB and give him the content that he is "entitled to".
>>
>> We (of course) need to enable this user to logoff the recource (and
maybe
>> log in as another user), the only way now is to ask the user to
shutdown
>his
>> browser and log in again.
>>
>> Is there any way to force a logoff to the users browser so that the
>browser
>> doesn't have to be restarted each time he wants to login as another
user?
>>
>>
>> Thanks,
>> Helge
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
