Cookieless Authentication – Client side

In my previous posts I have given an update about the REST based authentication I am still working on; basically I am trying to have a two level of logout mechanism: one at the server side and the other at the client side. The server side to assure the authentication mechanism and the client side to share a common front-end logout to different back-end programming choices.

To start, I have to say that if you think that you will find a logout mechanism that works perfectly great for any browser platform in this article, then I recommend you to stop here and keep searching. From my experience, it can get really annoying at certain point; but it really helps you to understand what you are doing.

Just to review some of the aspects that I considering for my login/logout mechanism:

  • 2 levels: client side and server side.
  • no cookies, so every should be handled by the Authorization field in the header.
  • Preference for Digest Access Authentication Scheme, is not suitable then Basic Authentication Scheme

With that said, then let’s see how we can deal with these requirements. In this post I am dealing with the client side, with no cookies and using Digest Authentication. So far this is still my latest code for doing the logout:

<script language="javascript" type="text/javascript">
var agt=navigator.userAgent.toLowerCase();
if (agt.indexOf("msie") != -1) {
// IE clear HTTP Authentication
else {
var xmlhttp = createXMLObject();"GET","PAGE FROM REALM TO LOGOUT",true,"logout","logout");
} catch(e) {
// There was an error
alert("there was an error");
function createXMLObject() {
try {
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
// code for IE
else if (window.ActiveXObject) {
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
return xmlhttp;

So, the main issue here is a cross-browser solution, thus as you might know, it is not so easy to implement. Now, let’s talk about each one separately:

Internet Explorer: so far this is the eassiest browser to work with, they provide a one-line-code of Javascript to perform the logout:
and since IE still has a great amount of users out there then this is good news. It works well for IE6 and IE7. I have not tested it with lower versions neither on a Mac.

Firefox: the good thing about this browser is that there are good tools for developers to debug your code, so you can work better. In my case, I use the Live HTTP Headers extension to see in real-time all the HTTP requests and responses that my browser sends and receives, as well as the FireBug to debug the browser behaivor. In my solution I make use of the XMLHttpRequest Object. So, recently I tracked my logout mechanism for Firefox with the HTTP tool to better understand it and I got the following conclusions from the code above:

  • var xmlhttp = createXMLObject();: Here I create the object
  •“GET”,”PAGE FROM REALM TO LOGOUT”,true,”logout”,”logout”);: The value of “true” in the async parameter is REQUIRED. Having true means that my script will continue executing after the send() method, without waiting for a response; as opposed to “false” that means that the script waits for a response before continuing processing [1]. I want this because I want the script to abort before being sent. The username is REQUIRED too. This username will replace the username name that was part of the Authorization, thus, making the trick to obtain a login popup window next time we want to login. The first argument could be any method: GET (tested), POST (tested), HEAD (not tested), PUT (not tested), DELETE (not tested), etc. The second argument should be a page located in the realm for authentication; I haven’t tried to put any other page, but I think it should be fine too.
  • xmlhttp.send(“”);: Here the server will try to send the request, so it creates the new headers and gets ready to send an empty value.
  • xmlhttp.abort();: This is the one that will stop the above command to be executed, but since the headers have been already replaced with a wrong username, the next time you try to connect it will ask you for right credentials. Notice that this is also the one line that prevents Firefox to display the authentication popup to appear.

Opera: I have tried to run the same of this browser (version 9 and up) but it doesn’t work. I believe because of this “XMLHTTPRequest is a work in progress, we expect to fully support it when it becomes a recommendation” (link).

Safari: I don’t have a Mac, so the only times I can test this is at university and a couple of friends. No much time to test it extensively, but it doesn’t work, I believe because the same reason of Safari, lack of full implementation of the XMLHttpRequest.

Well, that is it by now for the client side part. Next I will try to explain my solution for the server side.

1.- The The HttpRequest Object from w3schools. link

Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback.

5 Responses to “Cookieless Authentication – Client side

Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.