Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Basic Auth: force browser to ask password again

Posted on 2002-06-14
Medium Priority
Last Modified: 2012-05-04
I'm a Chinese programmer in Singapore, in need of expert advice.

First let me describe "Basic Auth" because it is known by many names to many people. (Skip to "The Problem" if you know what I mean.) If I protect a URL with HTTP Basic Authentification (through .htaccess in Apache), then the browswer will pop up a dialog box requesting password whenever someone accesses the URL.

[  The Problem  ]        How to force browser to request credential again. Once a credential is accepted, browser will send it to other URL's on the same site. The only way to force browser to pop up the dialog box is: close the browser and restart a new browser.

[  Solutions that don't work  ]        I used client-side javascript to close all my browser windows and "window.open()" a new browser window, but the new window remembers the credential and therefore doesn't ask. In stead of "window.open()", I also tried <a href='some.html' target=new_window>.

Browser used: MSIE 5
OS: win98
Question by:eng40490
  • 2
  • 2
  • 2
  • +3
LVL 11

Accepted Solution

mouatts earned 1000 total points
ID: 7078963
Ok I'm not to hot on what Appache can and can't do but if I tell you what you would need to do then prehaps someone else can help as to whether appache can actually do it.

When a request is made to a server with basic authentication turned on its sends a response as below

WWW_Authenticate: Basic realm="myrealm"

The browser will prompt the user and will return a message that includes the username and password.

All subsequent requests to the server will send the username and password within the message.

Now to force a redisplay of the prompt your server will need to send a 401 message along with the authenticate message above.

Now I suspect that the browser may think well I already know the username and password for this realm so it will not prompt the user. (This is worth checking though)

Assuming that to be the case you will need to send a different realm name out when when you send the 401.

What I'm not sure of is how appache associates the realms with the usernames that it holds and whether it can handle multiple realms in this way.



Expert Comment

ID: 7079791
What you are trying to do (if I understand it correctly) is force the browser to do something it is simply not supposed to do. Once the browser has the credentials for a realm and those credentials are valid for a set of urls, it is by design supposed to hold onto those credentials and as long as the server accepts them as valid it is supposed to allow the browser to access those urls.

You seem to be saying that you want to somehow force the browser to drop its credentials even when they are still valid for a given url. This makes no sense to me. It is the _server_ that causes the browser to ask the user for their credentials, the browser has absolutely no control over this. And if the browser already has valid credentials for a given url, i.e. the user is on the Access list for said url, there is simply no logical reason to make the browser ask for them again.

If you want the users credentials to become invalidated, all you have to do is remove said user from the Access list for those urls. Once they are no longer on the Access list they will immediately get a 401 and the browser will ask the user for new credentials. This is how the system is designed to work, there isnt much point in trying to force it to act differently.

Could you possibly explain _why_ you are trying to do what you are describing? I ask because it may be more effective for us to try and come up with a different way to acheive the same goal here...


Author Comment

ID: 7080048
LOGOUT is what i want. The client machines are shared. Once User Alice logs out, we want the browser to "forget" the credentials, so that User Bob can't go in without password.

My partners do not like cookies, so we use Basic Auth.

Thanks to Steve and Heath, we now have 3 directions to explore:
1) close browser window and all parents/children windows
2) modify Realm in .htaccess
3) modify account in AuthUserFile

For (2), please remember we have other users, perhaps in a login session. The new realm should apply to only the user who has logged out and who try to come in again.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 7080138
Read this page:


It outlines some peoples attempts to do what you are describing on Apache with PHP... But note that all suggested ways to implement a "logout" feature that I have seen for BasicAuth were implemented server side by basically the same method that mouatts suggested, change the realm and send a 401. It has to be done very carefully to ensure the desired response from the user agent, and even then it isnt 100% effective but it does work for the most common user agents.

I dont see any way you could reliably do this client-side by closing the windows, it would be MUCH more reliable to do it server-side. I also wouldnt bother with trying to modify the account in the Access List. Now that I understand what you are trying to accomplish, that was a bad suggestion.

I still question the approach you are taking though. If a user wants to logout, which I assume you want to occur so that they can log in again with different credentials, then you shouldnt use BasicAuth in my opinion. Also, if you are somehow trying to force a logout to simulate session expiration, then again you shouldn't use BasicAuth. It simply isnt designed to work that way.

It would be far more effective and reliable to roll-your-own authentication scheme and use cookies to store the credentials. Then you could clear them from client-side OR server-side pretty much at will. You could expire them so that if someone leaves a browser window open they will get logged out automatically. You could also persist the users credentials so that they dont have to login at all once the cookie is stored. Point is it is a much more flexible and reliable method to implement a login/logout system.


Expert Comment

by:Chandramouli k
ID: 7080199
<->I also tried <a href='some.html' target=new_window>.

target=newwin seems to be right. but i have never tried with target=new_window

LVL 11

Expert Comment

ID: 7080281
Use any target name except (_blank,_self,_top etc) and you will either create a new window or use an existing one of that name.

LVL 12

Expert Comment

ID: 8285368
This question has been abandoned. I will make a recommendation to the moderators on its resolution in a week or so. I appreciate any comments that would help me to make a recommendation.
In the absence of responses, I may recommend DELETE unless it is clear to me that it has value as a PAQ. Silence = you don't care
LVL 12

Expert Comment

ID: 8357016
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

split - mouatts/heathprovost
Please leave any comments here within the next seven days.
EE Cleanup Volunteer

Expert Comment

ID: 8404985
As recommended

Points for heathprovost at http://www.experts-exchange.com/Web/Web_Languages/JavaScript/Q_20597739.html

Community Support Moderator @Experts Exchange

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses the difference between strict equality operator and equality operator in JavaScript. The Need: Because JavaScript performs an implicit type conversion when performing comparisons, we have to take this into account when wri…
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question