Cookieless authentication (part 1)
Some time ago last year I wrote an article (link) describing a mechanism to achieve a logout when using apache authentication. Some time has passed and I think I should give it an update.
Past
The problem I was trying to solve was to provide a logout mechanism that will help applications that use the authentication feature from Apache. My requirements were:
- Independent of the programming language used at the server side.
- To work with Firefox and Internet Explorer.
1.- I personally use perl and php for server code and I tried to avoid having special mechanisms for each one. I know there are session handling mechanisms that can deal with login/logout issues, but I tried to avoid using cookies.
2.- At the time of writing we had Firefox 1.5 and IE6. Now there is Firefox 2 and IE7. For Internet Explorer browsers the clearing of authentication data is quite simple, just use the code below and you are done:
// Javascript Code
var agt=navigator.userAgent.toLowerCase();
if (agt.indexOf("msie") != -1) {
// IE clear HTTP Authentication
document.execCommand("ClearAuthenticationCache");
}
Nice ah! But, what about Firefox? Is there something similar to it? Yes and No. “Yes”, with a javascript code (I’ll find a link to this) and some tuning to the security configuration for Firefox, then that will work. The “No” part from my point of view is that your users will need to modify their security settings for this method to work; thus, in conclusion I think this method is not scalable and might expose the users to security risks when changing the configuration.
Now what? Can we do a logout using Firefox? Well, after doing some research online I found the great article of Berend de Boer where he explains a way of doing a logout using some apache coding for .htaccess file. This article gave me a better idea on what type of logout I should consider; and as I mentioned above, using cookies was something I tried to avoid.
So, doing some quick programming and testing I finally found a solution that was able of providing a logout mechanism for Firefox and IExplore! Yes! IE6 and FF1.5 had a nice logout option. There was another solution (it was here )that was able of having a logout mechanism but was some how annoying because it presented the login popup as part of the logout. But then came out the Firefox 2.0, and my solution started to have some problems, it was not able of logging out all the time. So? what next? All my effort was gone? Partially, with the experience I obtained during the testing now I have a better understanding of a possible solution.
In my next article I will explain the new requirements I expect from a logout mechanism and how I actually doing it in my webpages.
Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback.
Post Info
This entry was posted on Saturday, March 17th, 2007 and is filed under Javascript, PHP.You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: Hello! »
Next Post: Cookieless authentication (part 2) »
- How to connect to Mysql using SSH in Windows
- Announcing a new PHP DICOM toolkit: Nanodicom
- Nuevo Portal LoteriaFutbol.com: La Polla del Mundial Sudáfrica 2010.
- Kohana 3: AUTH, A2 & ACL
- Kohana[v2.3]: AUTH, A2 & ACL
- Real NAT on Windows XP
- New home for this package
- File_DICOM.php update
- The unofficial File_DICOM.php v 0.3
- DICOM php
April 29th, 2007 07:17
What about Opera? Both ways to “suppress logout” seem not to have any influence on Opera… 🙁
July 11th, 2008 11:52
[…] being how do you actually log out with HTTP authentication? The easy answer is you can’t; the more subtle answer is you kind of can depending on browser and technology in play. At best the solution is messy. Now why you should care […]