Heiko Sommerfeldt wrote:
> Can this mechanism be used to enforce a logout? My web site should
> have a "logout/new login" link. When this link is activated, the
> browser should ask for new login credentials.
It would not work reliable since for example, IE6 shows the login dialog
with previously
Hi,
that solves my problems! There is no loop when wrong login parameters
are used.
Thanks a lot!
Can this mechanism be used to enforce a logout? My web site should have
a "logout/new login" link. When this link is activated, the browser
should ask for new login credentials.
Heiko
> The previous
The previous fix was not yet OK since it never forced a new nonce.
The change below should be safer since a new nonce is forced after
its lifetime expired. I hope I understood the "stale" parameter
correctly now.
in (OverbyteIcs)HttpSrv.pas,
function THttpConnection.AuthDigestGetParams: Boolean;
Heiko Sommerfeldt wrote:
> The same happens here with IE8beta too.
> Therefore I answer with 403 after such failed login.
It's a bug in THttpServer :(
[..]
RFC 2617 HTTP Authentication June 1999
stale
A flag, indicating that the previous request from th
> Yes, it is automatically sent by the component.
> However, after a little test with Firefox, and passing an invalid password,
> I see an infinite loop. Firefox infinitely retries to login with the
> wrong password. This repeats with the webserver demo easily.
>
The same happens here with IE8
>
> Do you have any proxy configures for your browser?
>
No.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
Maurizio Lotauro wrote:
> Scrive Heiko Sommerfeldt :
>
> [...]
>
>> The main problem is the following: If the user (of the browser) puts
>> in a wrong password the connection is refused. Now the user opens
>> (refresh) the page again and the browser sends the rejected digest
>> information again
Do you have any proxy configures for your browser?
Regards,
SZ
On Thu, Jan 1, 2009 at 2:23 PM, Heiko Sommerfeldt wrote:
>
> >> The main problem is the following: If the user (of the browser) puts
> >> in a wrong password the connection is refused. Now the user opens
> >> (refresh) the page aga
>> The main problem is the following: If the user (of the browser) puts
>> in a wrong password the connection is refused. Now the user opens
>> (refresh) the page again and the browser sends the rejected digest
>> information again automatically so the login fails again.
>> Is there really no solu
Scrive Heiko Sommerfeldt :
[...]
> The main problem is the following: If the user (of the browser) puts in
> a wrong password the connection is refused. Now the user opens (refresh)
> the page again and the browser sends the rejected digest information
> again automatically so the login fails aga
Heiko Sommerfeldt wrote:
> The main problem is the following: If the user (of the browser) puts
> in a wrong password the connection is refused. Now the user opens
> (refresh) the page again and the browser sends the rejected digest
> information again automatically so the login fails again.
> Is
>> Hi,
>>
>> I am using THttpServer with digest authentication and it works well.
>> What I need is a logout, so the user (browser) needs a new login.
>>
>
> It's IMO not possible to force the browser to display a login dialog.
> Currently the HTTP server uses a hardcoded nonce-lifetime of
Heiko Sommerfeldt wrote:
> Hi,
>
> I am using THttpServer with digest authentication and it works well.
> What I need is a logout, so the user (browser) needs a new login.
It's IMO not possible to force the browser to display a login dialog.
Currently the HTTP server uses a hardcoded nonce-life
13 matches
Mail list logo