AuthAny has its own Authen and Authz handlers, however instead of returning
a 401, these handlers redirect to a "GATE" page which contains links for
each provider. The "basic auth" type links point to a directory with a
random value appended. This random value is kept in the database and cycled
with each logout. Browsers will not send the authorization header to the new
directory. The AuthName is also appended with a random string to assure that
the challenge pop-up is presented each time. This logout mechanism and
logout mechanisms for other providers allows AuthAny to maintain its own
permanent cookie in its database for control over recognition or
authentication states.

Kim

On Fri, Mar 25, 2011 at 5:39 AM, Perrin Harkins <per...@elem.com> wrote:

> On Wed, Mar 23, 2011 at 4:52 PM, Kim Goldov <kgol...@gmail.com> wrote:
> > We would like to release Apache2::AuthAny on CPAN.
>
> Please go ahead!
>
> How did you implement the logout for HTTP auth?
>
> - Perrin
>

Reply via email to