----- Original Message -----
From: "Jim McAtee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 26, 2000 12:55 PM
Subject: Re: Basic Authentication: Logging off
> Say a user is logged in as "howieh" at the following URL
>
> http://www.somesite.com/securecontent/
>
> Then you present a "log out" button which directs them to
>
> http://www.somesite.com/logout/logout.cfm
>
> and the CF template returns a 401 header (or do it with Perl if CF is
> unable to return this type of header). The user is presented with a
> login dialog in his browser. If he hits 'Cancel' or otherwise fails to
> log in as someone else, is he still logged in as 'howieh'? If he went
> back to the original, secured directory
>
I believe that the credentials are at that point expired in the browser.
> http://www.somesite.com/securecontent/
>
> would the browser still pass the necessary credentials?
>
I don't think so...
> Are the login credentials that the browser 'remembers' based on the base
> URL? If a logged in user went to
>
> http://somesite.com/securecontent/
>
> would the browser automatically validate the user?
>
Yes, the credentials are based on the domain being accessed (note that
www.somesite.com will have separate credentials from www2.somesite.com)
> Or what about
>
> http://www.somesite.com/MOREsecurecontent/
>
The browser should still use the credentials for www.somesite.com here (if
they are expired then they won't be sent).
For the best control over authentication you should really have a native
authenticator on the web server that you can control in code so that you can
send a 401 whenever you want.
Regards,
Howie
>
> Jim
>
>
> -----Original Message-----
> From: Howie Hamlin <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> Date: Saturday, August 26, 2000 10:41 AM
> Subject: Re: Basic Authentication: Logging off
>
>
> >The browser will continue to send the same credentials until it is
> restarted
> >or receives an "Unauthorized" response from the server.
> >
> >Regards,
> >
> >Howie
> >
> >----- Original Message -----
> >From: "Jim McAtee" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Sent: Saturday, August 26, 2000 12:34 PM
> >Subject: Re: Basic Authentication: Logging off
> >
> >
> >> Sounds as though you're saying that once a browser receives a 401
> >> response, it will no longer send the previously used credentials.
> Now,
> >> say the user "logs off", but fails to log in as someone else. Would
> the
> >> browser send the original, valid credentials if the user goes back
> (in
> >> the same browser session) to a URL where it had previously been
> >> authorized?
> >>
> >> Jim
> >>
> >
> >
> >-----------------------------------------------------------------------
> -------
> >Archives: http://www.mail-archive.com/[email protected]/
> >To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
> or send a message to [EMAIL PROTECTED] with
> 'unsubscribe' in the body.
>
> --------------------------------------------------------------------------
----
> Archives: http://www.mail-archive.com/[email protected]/
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
