tags:

views:

33

answers:

1
+1  Q: 

Why LiveId Web Auth requires to confirm cookie removal with IMAGE/GIF response?

In LiveId Web Auth scenario, when client application receive "clearcookie" request, it is responsible for clearing the authorization cookies and should confirm success by returning any GIF image through http. Using reference implementation of liveid web auth in asp.net-mvc looks like:

 if (Request["action"]=="clearcookie")
 {
      string contentType;
      byte[] content;
      wll.GetClearCookieResponse(out contentType, out content);
      return this.File(content, contentType);
 }

Where wll.GetClearCookieResponse is implemented as:

    public void GetClearCookieResponse(out string type, out byte[] content)
    {
        const string gif = 
          "R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7";
        type = "image/gif";
        content = Convert.FromBase64String(gif);
    }

So the GetClearCookieResponse method creates byte[] array containg tiny hardcoded GIF.

Is there any particular reason why responding with GIF is required? Why not just plain text ("OK") or JSON?

Are there any other (than LiveId) protocols using returning GIF as a response? I'm asking because I want to know if there is any reason to adopt this solution in projects requiring similar scenarios of communication.

A: 

When a user signs out of Windows Live or a Windows Live pplication, a best-effort attempt is made to sign the user out from all other Windows Live applications the user might be signed in to. This is done by calling the handler page for each application with 'action' parameter set to 'clearcookie' in the query tring. The application handler is then responsible for clearing any cookies or data associated with the login. After successfully signing the user out, the handler should return a GIF (any GIF) as response to the action=clearcookie query.

This function returns an appropriate content type and body response that the application handler can return to signify a successful sign-out from the application.

Your code should only return the image (.gif) as specified, and nothing else. An extra byte will trigger an error (malformed image).

I suppose it could be any type of expected response and suspect they chose a GIF because it would cause a browser to promptly hang up the connection when received.

Dolph  2010-05-13 17:03:23
After loading the GIF is it more likely that the browser will drop the connection then after loading Json?
PanJanek  2010-05-17 12:16:34

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.