tags:

views:

25

answers:

1
Q: 

HTTP authentication - How do I make the user overwrite Authentication data?

I know I can't logout an HTTP authentication.

Overwriting through the Location: http://logout:[email protected]/ way seems to work on most browsers, except IE.

I was wondering however if I could let the users overwrite the Authentication data.

So say the user has some auth data in its browser, now they go to my /logout page, and it sends back the 401 headers so that the authentication window pops up and they can overwrite it.

However, when they click OK (auth data is now overwritten in the browser) the /logout page reloads, and there's no way for me to validate the new data because the page will reload after I clicked OK and it will run the Auth headers again and it will show the popup again.

So basically, how do I validate HTTP auth data if there's already some data set in the browser?

+1  A: 

when they click OK (auth data is now overwritten in the browser) the /logout page reloads, and there's no way for me to validate the new data

You just have to reverse-validate the submitted data: if the user supplies proper auth, return the 401 response; if the user supplies bad auth or no auth, return a 200 or 302 to signal that the new bad/no auth has been accepted. The browser will then continue to use the bad/no auth for future requests.

Add directions something like “Click here and then enter no username or password and click OK” and you've got yourself a workable, if slightly shonky logout feature for HTTP Basic Auth.

(This is easy assuming you're spitting out the auth headers yourself from a script; it's not generally possible to pull off if you're using your web server's Authentication handling features.)

bobince  2010-07-04 20:32:24
Wow, this is exactly what I was thinking of. I guess there isn't a better solution, thanks.
Luca Matteis  2010-07-04 20:38:13
Indeed, Basic Auth is a bit messy in the rudimentary control it gives you over expiring logins, UI and Unicode. This is probably why cookie-based login schemes are much more widespread. (I tend to provide basic auth as fallback.)
bobince  2010-07-04 21:30:50

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.