|
Thanks for reply Yes i am using the "AuthType Basic" Apache directive with in <Locatgion /directory> tage And i am niether setting cookie not using _javascript_ing for user id and password. In Basic Authentication When a request is made to a URI, the web server returns a HTTP 401 unauthorized status code to the client: HTTP/1.1 401 Authorization Required This tells the client to supply a username and password. Included in the 401 status code is the authentication header. The client requests the username and password from the user, typically in a dialog box. The client browser concatenates the username and password using a ":" separator and base 64 encodes the string. A second request is then made for the same resource including the encoded username password string in the authorization headers. I hope this wil give you an idea what i am trying to do Right now the problem is that i could not find any mechanism available to the server to cause the browser to 'logout'; that is, to discard its stored credentials for the user. Thanks > Date: Tue, 2 Sep 2008 17:21:41 -0500 > From: justinp@xxxxxxxxxxxxxxxxxxx > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Is there any way that allows user to logout while using basic apache webserver authentication ? > > jaweed ali wrote: > > Hi > > I have apache with basic authentication setup with LDAP for users > > credential. apache allow me to login on server but once a user login > > to the webapplication and then even close the browser, the browser > > still have Authentication Session safe. And next time if you just > > visit same site the browser itself passes the uid/pssword to login the > > website. which is really a security issue so any one can access site > > from the PC. > > I also performed the senario such as > > 1: I setup my site as www.mysite.com/site > > <http://www.mysite.com/site> and setup user1/passwd as uid password > > to access it > > 2: on the othere hand I setup other directory say > > www.mysite.com/logout <http://www.mysite.com/logout> and configured to > > autenticate logout/logout as userid password > > > > if i access www.mysite.com/site <http://www.mysite.com/site> by > > passing user1/pwsswd it successfully loging > > after that i access www.mysite.com/logout > > <http://www.mysite.com/logout> with logout/logout successfullu but > > the problem is that > > if i just access www.mysite.com/site <http://www.mysite.com/site> it > > just allow me to loging witout asking user id password > > > > so this way also doesnot provide a way to secure the site > > > > Is there any way that i can follow to secure my site or there is no > > way to secure site with apache when using basic authentication > > > > Thanks > > Are you using the "AuthType Basic" Apache directive or are you > authentication the user via another means (such as a script that prompts > for the username and password, then save it in a cookie)? > > If it is the former, then their is no standard way to allow the user to > "logout". Some browsers (i.e. Firefox) have plug-ins available that will > allow you to clear the HTTP authentication information, but they do not > come with the browser. When you close the browser, it automatically > clears this authentication information. Are you SURE that you closed ALL > browser windows? > > If it is the latter (which actually sounds more likely, since you say > the user is going to www.mysite.com/logout), then your code is probably > setting a cookie with an expiration date in the future. The logout page > is not properly clearing that cookie, so when you reopen the browse, the > cookie is found and the user is automatically logged in. You would need > to adjust your code so that it creates a cookie that is only active for > the current session. > > Justin Pasher > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > Get ideas on sharing photos from people like you. Find new ways to share. Get Ideas Here! |
|