RE: Is there any way that allows user to logout while using basic apache webserver authentication ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for reply
Yes i am  using the "AuthType Basic" Apache directive  with in <Locatgion /directory> tage
 And i am niether setting cookie not using _javascript_ing for user id and password.
 
In Basic Authentication When a request is made to a URI, the web server returns a HTTP 401 unauthorized status code to the client:
HTTP/1.1 401 Authorization Required This tells the client to supply a username and password. Included in the 401 status code is the authentication header. The client requests the username and password from the user, typically in a dialog box. The client browser concatenates the username and password using a ":" separator and base 64 encodes the string. A second request is then made for the same resource including the encoded username password string in the authorization headers.
 
I hope this wil give you an idea what i am trying to do
 
Right now the problem is that i could not find any mechanism available to the server to cause the browser to 'logout'; that is, to discard its stored credentials for the user.
 
Thanks

> Date: Tue, 2 Sep 2008 17:21:41 -0500
> From: justinp@xxxxxxxxxxxxxxxxxxx
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re: Is there any way that allows user to logout while using basic apache webserver authentication ?
>
> jaweed ali wrote:
> > Hi
> > I have apache with basic authentication setup with LDAP for users
> > credential. apache allow me to login on server but once a user login
> > to the webapplication and then even close the browser, the browser
> > still have Authentication Session safe. And next time if you just
> > visit same site the browser itself passes the uid/pssword to login the
> > website. which is really a security issue so any one can access site
> > from the PC.
> > I also performed the senario such as
> > 1: I setup my site as www.mysite.com/site
> > <http://www.mysite.com/site> and setup user1/passwd as uid password
> > to access it
> > 2: on the othere hand I setup other directory say
> > www.mysite.com/logout <http://www.mysite.com/logout> and configured to
> > autenticate logout/logout as userid password
> >
> > if i access www.mysite.com/site <http://www.mysite.com/site> by
> > passing user1/pwsswd it successfully loging
> > after that i access www.mysite.com/logout
> > <http://www.mysite.com/logout> with logout/logout successfullu but
> > the problem is that
> > if i just access www.mysite.com/site <http://www.mysite.com/site> it
> > just allow me to loging witout asking user id password
> >
> > so this way also doesnot provide a way to secure the site
> >
> > Is there any way that i can follow to secure my site or there is no
> > way to secure site with apache when using basic authentication
> >
> > Thanks
>
> Are you using the "AuthType Basic" Apache directive or are you
> authentication the user via another means (such as a script that prompts
> for the username and password, then save it in a cookie)?
>
> If it is the former, then their is no standard way to allow the user to
> "logout". Some browsers (i.e. Firefox) have plug-ins available that will
> allow you to clear the HTTP authentication information, but they do not
> come with the browser. When you close the browser, it automatically
> clears this authentication information. Are you SURE that you closed ALL
> browser windows?
>
> If it is the latter (which actually sounds more likely, since you say
> the user is going to www.mysite.com/logout), then your code is probably
> setting a cookie with an expiration date in the future. The logout page
> is not properly clearing that cookie, so when you reopen the browse, the
> cookie is found and the user is automatically logged in. You would need
> to adjust your code so that it creates a cookie that is only active for
> the current session.
>
> Justin Pasher
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>



Get ideas on sharing photos from people like you. Find new ways to share. Get Ideas Here!

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux