Cookieless authentication (part 1)

Some time ago last year I wrote an article (link) describing a mechanism to achieve a logout when using apache authentication. Some time has passed and I think I should give it an update.


The problem I was trying to solve was to provide a logout mechanism that will help applications that use the authentication feature from Apache. My requirements were:

  1. Independent of the programming language used at the server side.
  2. To work with Firefox and Internet Explorer.

1.- I personally use perl and php for server code and I tried to avoid having special mechanisms for each one. I know there are session handling mechanisms that can deal with login/logout issues, but I tried to avoid using cookies.

2.- At the time of writing we had Firefox 1.5 and IE6. Now there is Firefox 2 and IE7. For Internet Explorer browsers the clearing of authentication data is quite simple, just use the code below and you are done:

// Javascript Code
var agt=navigator.userAgent.toLowerCase();
if (agt.indexOf("msie") != -1) {
// IE clear HTTP Authentication

Nice ah! But, what about Firefox? Is there something similar to it? Yes and No. “Yes”, with a javascript code (I’ll find a link to this) and some tuning to the security configuration for Firefox, then that will work. The “No” part from my point of view is that your users will need to modify their security settings for this method to work; thus, in conclusion I think this method is not scalable and might expose the users to security risks when changing the configuration.

Now what? Can we do a logout using Firefox? Well, after doing some research online I found the great article of Berend de Boer where he explains a way of doing a logout using some apache coding for .htaccess file. This article gave me a better idea on what type of logout I should consider; and as I mentioned above, using cookies was something I tried to avoid.

So, doing some quick programming and testing I finally found a solution that was able of providing a logout mechanism for Firefox and IExplore! Yes! IE6 and FF1.5 had a nice logout option. There was another solution (it was here )that was able of having a logout mechanism but was some how annoying because it presented the login popup as part of the logout. But then came out the Firefox 2.0, and my solution started to have some problems, it was not able of logging out all the time. So? what next? All my effort was gone? Partially, with the experience I obtained during the testing now I have a better understanding of a possible solution.

In my next article I will explain the new requirements I expect from a logout mechanism and how I actually doing it in my webpages.

Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback.

2 Responses to “Cookieless authentication (part 1)

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.