This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: "modperl" <modperl@apache.org> From: "Kiran Kumar.M" <kirank@comatindia.com> Subject: Authentication handlers Date: Sat, 3 Mar 2001 12:58:34 +0530 i'm using mod_perl authentication handler, where the user's credentials = are checked against a database and in the database i have a flag which = tells the login status (y|n), but aftr the user logs out the status is = changed to n , my problem is that after logging out if the user goes = one page back and submits the browser sends the username and password = again , and the status is changed to y . Is there any means of removing = the username and password from the browsers cache. === To: modperl@apache.org From: "Paul J. Lucas" <pauljlucas@mac.com> Subject: Re: Authentication handlers Date: Fri, 2 Mar 2001 23:50:26 -0800 (PST) On Sat, 3 Mar 2001, Kiran Kumar.M wrote: > Is there any means of removing the username and password from the browsers > cache. $r->nocache(1); === To: modperl@apache.org From: Pierre Phaneuf <pp@ludusdesign.com> Subject: Re: Authentication handlers Date: Sat, 03 Mar 2001 08:24:33 -0500 "Paul J. Lucas" wrote: > > Is there any means of removing the username and password from the browsers > > cache. > > $r->nocache(1); No, I think he's talking about the "basic" authentication information, that browsers keep in memory until they are stopped. I think that if you give them an AUTH_REQUIRED, it might clear the password, but that would also make the authentication dialog box appear on their machine, which would be rather confusing. Personally, I use cookies for authentication instead, you can remove those at will. === To: "Kiran Kumar.M" <kirank@comatindia.com>, "modperl" <modperl@apache.org> From: Bill Moseley <moseley@hank.org> Subject: Re: Authentication handlers Date: Sat, 03 Mar 2001 06:53:10 -0800 At 12:58 PM 03/03/01 +0530, Kiran Kumar.M wrote: >>>> <excerpt>hi , i'm using mod_perl authentication handler, where the user's credentials are checked against a database and in the database i have a flag which tells the login status (y|n), but aftr the user logs out the status is changed to n , my problem is that after logging out if the user goes one page back and submits the browser sends the username and password again , and the status is changed to y . Is there any means of removing the username and password from the browsers cache. </excerpt><<<<<<<< I guess I don't understand you setup. If you have a database entry that says they are logged out why don't you see this when they send their request and return a "Sorry, logged out" page? I wouldn't count on doing anything on the client side. === To: modperl <modperl@apache.org> From: Pierre Phaneuf <pp@ludusdesign.com> Subject: Re: Authentication handlers Date: Sat, 03 Mar 2001 10:11:01 -0500 Bill Moseley wrote: > > i'm using mod_perl authentication handler, where the user's > > credentials are checked against a database and in the database i > > have a flag which tells the login status (y|n), but aftr the user > > logs out the status is changed to n , my problem is that after > > logging out if the user goes one page back and submits the browser > > sends the username and password again , and the status is changed > > to y . Is there any means of removing the username and password > > from the browsers cache. > > I guess I don't understand you setup. If you have a database entry > that says they are logged out why don't you see this when they send > their request and return a "Sorry, logged out" page? The problem here is that the first basic authentication is not any different from the next ones, so if he marks the user as logged out, going to an page requiring authentication will simply mark the user as logged in. You could try various tricks still, with accordingly varying degrees of success. While you might have a number of pages protected by basic authentication, make only *one* of them actually mark the user as logged in. For example, that might be /login. An example user session might look like this: - go to / - click on the "login" link, sending him to /login - /login is protected, so browser queries the user for authentication - /login sees the basic authentication header, marks the user as logged in - user do whatever he wants - user is logged out After this point, if the user goes to any protected web page, even though the basic authentication header is actually correct, he should get a AUTH_REQUIRED response, because he isn't marked as logged in by the database. The only page with the power to make the user logged in is /login. There is a security problem with this. The user/password combo is *not* cleared from the browser! If someone logs out, then a passer-by uses the same browser to log into the site, he will not get any question asked and will be identified as the previous user! Basic authentication is annoying. They forgot to put a way to revoke the thing when they designed it. Eh, that's life... === To: modperl@apache.org From: "Paul J. Lucas" <pauljlucas@mac.com> Subject: Re: Authentication handlers Date: Sat, 3 Mar 2001 07:13:40 -0800 (PST) On Sat, 3 Mar 2001, Pierre Phaneuf wrote: > "Paul J. Lucas" wrote: > > > > Is there any means of removing the username and password from the browsers > > > cache. > > > > $r->nocache(1); > > No, I think he's talking about the "basic" authentication information, > that browsers keep in memory until they are stopped. Oh, silly me. Since this is a mod_perl mailing list, I thought it was actually mod_perl question. Basic authentication is basic authentication; mod_perl has nothing to do with it. === To: modperl <modperl@apache.org> From: Bill Moseley <moseley@hank.org> Subject: Re: Authentication handlers Date: Sat, 03 Mar 2001 07:39:34 -0800 At 10:11 AM 03/03/01 -0500, Pierre Phaneuf wrote: >The problem here is that the first basic authentication is not any >different from the next ones, so if he marks the user as logged out, >going to an page requiring authentication will simply mark the user as >logged in. That's what I was assuming. >Basic authentication is annoying. They forgot to put a way to revoke the >thing when they designed it. Eh, that's life... That's the real point. Sometimes you have to weigh the use of a always-on feature like basic authentication vs. maybe-on cookies. If you really must use basic authentication then besides the AUTH_REQUIRED trick, sometimes you can get clients to forget by sending them to a new URL with an embedded username and password that logs into the same AuthName but with a different username/password combination. But, you CAN'T count on anything working unless you know all your clients -- if even then. If your problem is that some clients don't use cookies, then perhaps Apache::AuthCookieURL might help. === To: "Kiran Kumar.M" <kirank@comatindia.com> From: Cees Hek <cees@sitesuite.net> Subject: Re: Authentication handlers Date: Mon, 5 Mar 2001 20:28:17 +1100 On Sat, 3 Mar 2001, Kiran Kumar.M wrote: > hi , i'm using mod_perl authentication handler, where the user's > credentials are checked against a database and in the database i have > a flag which tells the login status (y|n), but aftr the user logs out > the status is changed to n , my problem is that after logging out if > the user goes one page back and submits the browser sends the username > and password again , and the status is changed to y . Is there any > means of removing the username and password from the browsers cache. > I'm assuming you are using Basic Authentication here... I haven't used Basic Authentication in a couple years now, but I seem to remember that you can specify a 'Realm' in which the username and password is valid. If you change this realm when the user logs out, then they will be prompted for their username and password again. So instead of storing a y/n in the database, store a unique string that is used as the realm, and clear it when they log out. Now everytime you send the Authenitication required header, send the unique realm for this user that you stored in the database, and if it doesn't exist, generate a new one. === To: modperl <modperl@apache.org> From: Pierre Phaneuf <pphaneuf@sx.nec.com> Subject: Re: Authentication handlers Date: Sun, 04 Mar 2001 17:29:56 -0500 Cees Hek wrote: > So instead of storing a y/n in the database, store a unique string that is > used as the realm, and clear it when they log out. Now everytime you send > the Authenitication required header, send the unique realm for this user > that you stored in the database, and if it doesn't exist, generate a new > one. Good one! The only bad thing I see is that the realm is visible in the dialog box the user see, isn't it? Seeing a random string might be a bit unsettling for the user, but there is no technical reason for it not to work. === To: "modperl" <modperl@apache.org> From: "Sisyphus" <kalinabears@hdc.com.au> Subject: Re: Authentication handlers Date: Mon, 5 Mar 2001 10:28:15 +1100 Pierre Phaneuf <pphaneuf@sx.nec.com> wrote: > Cees Hek wrote: > > So instead of storing a y/n in the database, store a > > unique string that is used as the realm, and clear it > > when they log out. Now everytime you send the > > Authenitication required header, send the unique realm > > for this user that you stored in the database, and if it > > doesn't exist, generate a new one. > Good one! The only bad thing I see is that the realm is visible in the > dialog box the user see, isn't it? Seeing a random string might be a bit > unsettling for the user, but there is no technical reason for it not to > work. Are you guys sure about this ? I just tried it out and it doesn't work for Apache1.3.12(win32) on win 98. I visited a page in a 'basic authentication' protected directory, then changed the name of the realm from 'htdocs access' to 'htdocs' but was still able to access other pages in the same directory without being hit for username and password. I tried hitting the back button and 'refreshing', and I also visited another site in the interim. All to no avail. ===