tags:

views:

822

answers:

3
Q: 

XMLHttpRequest, basic authentication and expiring password

I use XMLHttpRequest and basic-auth to access application interface. Password is temorary and is generated by other request, so it expires after some time.

But browser (Firefox least) keep using old one, failing and showing login popup. If i suppress popup by returning 403 for requests with X-Requested-By and wrong password, mozilla never tries to use new password (firebug shows new password in request, server receives old).

Problem can be evaded by adding random 'salt' to username (and stripping it at server side), but is there better way to force XMLHttpRequest use provided password instead of cached?

A: 

Hi,

I used to have the similar problems sending values using GET but not with POST.

Regards.

ATorras  2009-07-21 14:46:32
A: 

401 responses include an "authentication domain," which defaults to the all URLs on the server (see RFC 2617). The browser is expected to provide the same credentials to any challenge from the same domain.

Since you're already generating an expiring password, why not simply turn it into a token that has to be appended to every request? For example an SHA1 hash of the username, perhaps salted with a timestamp. I'm assuming that you'll use this as a key on the server to retrieve the user's data.

kdgregory  2009-07-21 15:04:29
Didn't you mean 401 responses?
ymv  2009-07-21 15:11:42
you're correct - I've updated
kdgregory  2009-07-21 15:56:14
A: 

I'm experiencing the same problem: Firefox refuses to clear the cache and accept the new password, despite Firebug showing the new passport being sent! That looks like a bug to me. You wrote that changing the username with random salt actually prevents the problem, right? Could you detail that a bit more? why is that not an acceptable solution?

Thanks! Emanuel

 2009-10-27 04:35:46
HTTP auth aparently wasn't intended to be used this way (non-interactive login), so it's more of protocol limitation than bug. Salting works fine, but it's ugly (but not outright protocol misuse, as using 403 responses instead is).
ymv  2009-11-05 07:57:15

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.