Solved

Basic Auth: force browser to ask password again

Posted on 2002-06-14
9
706 Views
Last Modified: 2012-05-04
I'm a Chinese programmer in Singapore, in need of expert advice.

First let me describe "Basic Auth" because it is known by many names to many people. (Skip to "The Problem" if you know what I mean.) If I protect a URL with HTTP Basic Authentification (through .htaccess in Apache), then the browswer will pop up a dialog box requesting password whenever someone accesses the URL.



[  The Problem  ]        How to force browser to request credential again. Once a credential is accepted, browser will send it to other URL's on the same site. The only way to force browser to pop up the dialog box is: close the browser and restart a new browser.


[  Solutions that don't work  ]        I used client-side javascript to close all my browser windows and "window.open()" a new browser window, but the new window remembers the credential and therefore doesn't ask. In stead of "window.open()", I also tried <a href='some.html' target=new_window>.

Browser used: MSIE 5
OS: win98
0
Comment
Question by:eng40490
  • 2
  • 2
  • 2
  • +3
9 Comments
 
LVL 11

Accepted Solution

by:
mouatts earned 250 total points
ID: 7078963
Ok I'm not to hot on what Appache can and can't do but if I tell you what you would need to do then prehaps someone else can help as to whether appache can actually do it.

When a request is made to a server with basic authentication turned on its sends a response as below

WWW_Authenticate: Basic realm="myrealm"

The browser will prompt the user and will return a message that includes the username and password.

All subsequent requests to the server will send the username and password within the message.

Now to force a redisplay of the prompt your server will need to send a 401 message along with the authenticate message above.

Now I suspect that the browser may think well I already know the username and password for this realm so it will not prompt the user. (This is worth checking though)

Assuming that to be the case you will need to send a different realm name out when when you send the 401.

What I'm not sure of is how appache associates the realms with the usernames that it holds and whether it can handle multiple realms in this way.

HTH
Steve

0
 
LVL 5

Expert Comment

by:heathprovost
ID: 7079791
What you are trying to do (if I understand it correctly) is force the browser to do something it is simply not supposed to do. Once the browser has the credentials for a realm and those credentials are valid for a set of urls, it is by design supposed to hold onto those credentials and as long as the server accepts them as valid it is supposed to allow the browser to access those urls.

You seem to be saying that you want to somehow force the browser to drop its credentials even when they are still valid for a given url. This makes no sense to me. It is the _server_ that causes the browser to ask the user for their credentials, the browser has absolutely no control over this. And if the browser already has valid credentials for a given url, i.e. the user is on the Access list for said url, there is simply no logical reason to make the browser ask for them again.

If you want the users credentials to become invalidated, all you have to do is remove said user from the Access list for those urls. Once they are no longer on the Access list they will immediately get a 401 and the browser will ask the user for new credentials. This is how the system is designed to work, there isnt much point in trying to force it to act differently.

Could you possibly explain _why_ you are trying to do what you are describing? I ask because it may be more effective for us to try and come up with a different way to acheive the same goal here...

Heath
0
 

Author Comment

by:eng40490
ID: 7080048
LOGOUT is what i want. The client machines are shared. Once User Alice logs out, we want the browser to "forget" the credentials, so that User Bob can't go in without password.

My partners do not like cookies, so we use Basic Auth.

Thanks to Steve and Heath, we now have 3 directions to explore:
1) close browser window and all parents/children windows
2) modify Realm in .htaccess
3) modify account in AuthUserFile

For (2), please remember we have other users, perhaps in a login session. The new realm should apply to only the user who has logged out and who try to come in again.
0
 
LVL 5

Expert Comment

by:heathprovost
ID: 7080138
Read this page:

http://php.ca/manual/en/features.http-auth.php

It outlines some peoples attempts to do what you are describing on Apache with PHP... But note that all suggested ways to implement a "logout" feature that I have seen for BasicAuth were implemented server side by basically the same method that mouatts suggested, change the realm and send a 401. It has to be done very carefully to ensure the desired response from the user agent, and even then it isnt 100% effective but it does work for the most common user agents.

I dont see any way you could reliably do this client-side by closing the windows, it would be MUCH more reliable to do it server-side. I also wouldnt bother with trying to modify the account in the Access List. Now that I understand what you are trying to accomplish, that was a bad suggestion.

I still question the approach you are taking though. If a user wants to logout, which I assume you want to occur so that they can log in again with different credentials, then you shouldnt use BasicAuth in my opinion. Also, if you are somehow trying to force a logout to simulate session expiration, then again you shouldn't use BasicAuth. It simply isnt designed to work that way.

It would be far more effective and reliable to roll-your-own authentication scheme and use cookies to store the credentials. Then you could clear them from client-side OR server-side pretty much at will. You could expire them so that if someone leaves a browser window open they will get logged out automatically. You could also persist the users credentials so that they dont have to login at all once the cookie is stored. Point is it is a much more flexible and reliable method to implement a login/logout system.

Heath
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:kcm76
ID: 7080199
<->I also tried <a href='some.html' target=new_window>.

target=newwin seems to be right. but i have never tried with target=new_window

KCM
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7080281
Use any target name except (_blank,_self,_top etc) and you will either create a new window or use an existing one of that name.

Steve
0
 
LVL 12

Expert Comment

by:ahosang
ID: 8285368
This question has been abandoned. I will make a recommendation to the moderators on its resolution in a week or so. I appreciate any comments that would help me to make a recommendation.
 
In the absence of responses, I may recommend DELETE unless it is clear to me that it has value as a PAQ. Silence = you don't care
 
ahosang
0
 
LVL 12

Expert Comment

by:ahosang
ID: 8357016
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

split - mouatts/heathprovost
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
ahosang
EE Cleanup Volunteer
0
 

Expert Comment

by:Chmod
ID: 8404985
As recommended

Points for heathprovost at http://www.experts-exchange.com/Web/Web_Languages/JavaScript/Q_20597739.html

Chmod
Community Support Moderator @Experts Exchange
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article shows how to create and access 2-dimensional arrays in JavaScript.  It includes a tutorial in case you are just trying to "get your head wrapped around" the concept and we'll also look at some useful tips for more advanced programmers. …
Avoid defining the variables in the global scope; trying to define them in a local function scope. Because:   • Look-up is performed every time a variable is accessed.   • Variables are resolved backwards from most specific to least specific scope…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now