* Boyle Owen <Owen.Boyle@xxxxxxx> [0507 09:07]: > > The first time the client requests a resource in a protected realm, it doesn't know it is protected so makes a plain request. The server responds with a 401 Unauthorized. The client then pops up a password window and captures the username/password (aka, the credentials). The client repeats the request but this time adds an Authorization header containing the credentials. The server gets the request and verifies the credentials, if OK, it serves the resource. The client caches the credentials and for all subsequent requests in the same realm, it adds the same Authorization header - that's how you stay "logged in". > > That's also how it is really hard to get the browser to "forget" your password - even if you surf off to a different site and come back a day later, it'll remember your credentials and send them off again. Best. Firefox extension. Ever. http://extensionroom.mozdev.org/more-info/clearhttpauth -- 'What have you done to the cat? It looks half-dead.' -- Schroedinger's wife Rasputin :: Jack of All Trades - Master of Nuns --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx