Can the HTTP response header Authorization be managed from the server?

Question

Howdy,

I'm playing with HTTP Basic Authorization. As we all know, when a client gets a 401 error on requesting a page, the client must collect authorization credentials from the users (typically in the form of a pop-up window).

Subsequent requests for resources under that part of the URL will be accompanied by "Authorization: Basic [hash]" where [hash] is the username/password mashed together and hashed.

What I'm interesting in is getting the client to not send the Authorization header even when requesting a resource that previously asked for it.

Three important questions:

1. Is this possible?

2. If possible, does this violate the HTTP/1.1 standard (I'm unclear that this case is covered by the spec)?

3. What browser support this?

Thanks for your time, Internet.

UPDATE: Apparently, this is an apache FAQ and I am SOL. Still, if you've got thoughts on this question, I'd love to hear about it. Thanks.

Answer 1

I don't think this is possible. The authenticated session lasts until the user shuts the browser window, and the browser will keep on blindly passing the credentials with each request under the same path.

Is there any specific reason why you want this functionality?