<Directory "/var/www/android"> AddHandler cgi-script .cgi .pl AllowOverride None Options -MultiViews +SymLinksIfOwnerMatch +ExecCGI Order Deny,Allow AuthType Basic AuthName "server" AuthUserFile /etc/apache2/htpasswd Require valid-user </Directory> One of my clients has the above in their Apache configuration. They have several clients which use the system and that generally works OK. But how do I get a user to logout and login again? I can use http://user:pass@server/android as the URL, but that isn't too user- friendly and anything else doesn't work. Any suggestions? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
I believe that's impossible. From https://en.wikipedia.org/wiki/Basic_access_authentication#Disadvantages "Existing browsers retain authentication information until the tab or browser is closed or the user clears the history.[1] HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without changing the realm periodically, directing the user to close the browser, or using sessions in the URL." [1] http://www.tolaris.com/2009/09/08/logging-out-of-http-auth-with-firefox/
On 15 January 2013 20:00, Russell Coker <russell@coker.com.au> wrote:
But how do I get a user to logout and login again?
Need to invoke the "logout" function on the web browser (not the server). Unfortunately, modern browsers are making this harder to find/use. I can't see any easy way to do it in Chrome.
From Firefox, click "tools", "clear private data", select "everything" in time range to clear, unclick all options except "Active Logins" (guessing here), click "clear now". Not tested. Will log out all HTTP authenticated sessions, not just the one you want.
I seem to recall, once upon a time, this use to be easier. Perhaps do I google search in case there is a better way I have missed. It does seem though that HTTP authentication has been forgotten in favour of session based authentication and as such isn't getting the features it deserves. -- Brian May <brian@microcomaustralia.com.au>
On 15 January 2013 20:00, Russell Coker <russell@coker.com.au> wrote:
But how do I get a user to logout and login again?
I assume you mean logout and login as a different user? It doesn't make sense to logout and login as the same user, this isn't session based - the requests will look the same. -- Brian May <brian@microcomaustralia.com.au>
Russell Coker <russell@coker.com.au> writes:
[apache is doing http basic auth]
But how do I get a user to logout and login again?
I can use http://user:pass@server/android as the URL, but that isn't too user- friendly and anything else doesn't work.
Any suggestions?
HTFU and restart the browser? As a bonus, this will allow the kernel to reclaim all the memory it has been leaking.
The trick is to get your server to issue a 401 response. Which can really only be done by your application either sending a 401 header, or responding to apache in an appropriate manner. On Wed, Jan 16, 2013 at 10:32 AM, Trent W. Buck <trentbuck@gmail.com> wrote:
Russell Coker <russell@coker.com.au> writes:
[apache is doing http basic auth]
But how do I get a user to logout and login again?
I can use http://user:pass@server/android as the URL, but that isn't too user- friendly and anything else doesn't work.
Any suggestions?
HTFU and restart the browser? As a bonus, this will allow the kernel to reclaim all the memory it has been leaking.
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
Well, either rejecting a successfully validated request (by re-asking for authorisation) as suggested, or by changing the AuthName (in Apache config parlance) should do the trick. Both aren't really possible with a static Apache config and will need some sort of scripting with some smarts. Also, it'll generally need to be within the same path as the previously authenticated request.
participants (6)
-
Andrew Spiers -
Anthony Hogan -
Brian May -
Leigh Sharpe -
Russell Coker -
trentbuck@gmail.com