views:

1900

answers:

5

Is it possible to log out user from a web site if he is using basic authentication?

Killing session is not enough, since, once user is authenticated, each request contains login info, so user is automatically logged in next time he access the site using the same credentials.

The only solution so far is to close browser, but that's not acceptable from the usability standpoint.

A: 
  • use a session ID (cookie)
  • invalidate the session ID on the server
  • Don't accept users with invalid session IDs
Tomalak
It's also good to offer Basic Authentication as a backup login scheme for when cookies aren't available.
bobince
Invalidating session doesn't work, see other comments.
Dev er dev
A: 

Which technology are you using? If you're using a custom authentication provider you could store details about whether a user is authenticated or not and, if they're not, re-sent the WWW-Authenticate header whether or not they've sent a valid username or password.

Phill Sacre
+3  A: 

This isn't directly possible with Basic-Authentication.

There's no mechanism in the HTTP specification for the server to tell the browser to stop sending the credentials that the user already presented.

Alnitak
+6  A: 

Basic Authentication wasn't designed to manage logging out. You can do it, but not completely automatically.

What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login.

They must be directed to input wrong credentials next, eg. a blank username-and-password, and in response you send back a “You have successfully logged out” page. The wrong/blank credentials will then overwrite the previous correct credentials.

In short, the logout script inverts the logic of the login script, only returning the success page if the user isn't passing the right credentials.

The question is whether the somewhat curious “don't enter your password” password box will meet user acceptance. Password managers that try to auto-fill the password can also get in the way here.

Edit to add in response to comment: re-log-in is a slightly different problem (unless you require a two-step logout/login obviously). You have to reject (401) the first attempt to access the relogin link, than accept the second (which presumably has a different username/password). There are a few ways you could do this. One would be to include the current username in the logout link (eg. /relogin?username), and reject when the credentials match the username.

bobince
I'll try this approach. The point of logout (in this case) is to enable user to log in as different user, so it is perfectly acceptable solution. As for auto-fill password, it is up to user if he will use it or not.Thanks
Dev er dev
[added longer comment in answer body]
bobince
+3  A: 

An addition to the answer by bobince ...

With Ajax you can have your 'Logout' link/button wired to a Javascript function. Have this function send the XMLHttpRequest with a bad username and password. This should get back a 401. Then set document.location back to the pre-login page. This way, the user will never see the extra login dialog during logout, nor have to remember to put in bad credentials.

system PAUSE