The problem is NOT in mod_ssl, the problem is in the browsers themselves.
There is no protocol for telling the browser that you don't want to use
the same username/password, that it should clear the cache.
Some browsers clear the cache after receiving a 401 Authentication
Required header when they send the same username and password that worked
for the same authentication realm. This is not guaranteed for all
browsers. (Though redirecting the logout button to a .asis file that
includes "HTTP/1.1 401 Authorization Required\r\nContent-type:
text/html\r\n\r\n" as the first two lines would probably be a good idea; I
don't know how well this would work, as I've not tested it.)
You -may- be able to find documentation at Netscape or Microsoft about an
X-Clear-Credential-Cache: or something (this is NOT something I've
researched, so it most likely WILL NOT work) header that will do what you
want, but chances are that whatever you find will be client-specific.
---
Mat Butler, Winged Wolf <[EMAIL PROTECTED]>
SPASTIC Web Engineer SPASTIC Server Administrator
On Fri, 19 May 2000, Doug Poulin wrote:
> I've seen this question asked many times over the past several weeks and have never
>had anyone come up with a response that works. I think this is a serious security
>problem with browsers.
>
> Once you authenticate with a secure server, the browser remembers who you are so
>that it can include that information for future requests to that server. However I
>can't tell the browser to forget who I am without closing the browser. That means
>that if I authenticate to a secure site, then go off to other sites and never close
>my browser anyone coming along afterwards can go back to that secure site with my
>full access.
>
> I would like to be able to have multiple users share a PC and log on/off without
>having to restart the browser each time.
>
> This sounds like a straight forward problem but it is not. Part of the problem
>involves being able to determine whether the user is logging on for the first time or
>returning from a previous session. Without knowing that, the only solution appears
>to be in forcing the user to log in twice. This happens because our log in script
>automatically rejects (401 Unauthorized) the first log in attempt. This ensures that
>re-visits are forced to log in properly, but it also means that the first time in the
>server authenticates, then our log in script rejects it, then they get logged in
>properly.
>
> Here are things that I have already tried.
>
> 1) cookies: They don't work because the server authentication always happens
>before the script sees the cookies.
> 2) redirects: I thought I could redirect from a non secure page to a secure page
>and force the server to authenticate. The problem was that the browser never
>provided the remote-user name to the server for the non secure page but as soon as it
> got redirected it sent along the remote-user and bypassed the security again.
> 3) server files: same basic problem as cookies. You don't have enough information
>at the time you need it.
>
> Does anyone have any concrete code samples or ideas that actually work?
>
> While I'm at it does anyone know what the options in the .htaccess file are? I am
>particularly interested in the "require" directive. I have tried the modssl
>reference pages but that doesn't seem to be covered. I know valid-user is one of
>them but what other ones are there?
>
> Doug Poulin
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
