browser security w/ l/p

Ok my boss wants me to make a page where you click to login and it pops
up that little AUTH browser window… he seems to really want that thing.

So the problem is of course the browser remembers your l/p forever…
until you close the browser… despite logging out of the site.

Is there a way I can force the browser to forget the l/p…?? and still
use the auth window?

Re: browser security w/ l/p

Shena Delian O’Brien wrote
> Is there a way I can force the browser to forget the l/p…?? and still
> use the auth window?

The window pops up when the browser receives a 401 (authorization required)
response from the server. Every browser I have used will “forget” the
username/password if it receives another 401 response (from the same
directory, etc.). This can be achieved with a script that merely returns a
401 response. This will also result in the user’s browser popping up a new
login box – don’t know of a way to avoid that.

However, obviously, you have no control over what’s done on the browser
side. Nothing obligates the author of browser software to make their
software behave this way.

Re: browser security w/ l/p

I know. That’s crappy. I can get it to do the 401 but then instead of
saying “you’ve logged out” it just pops up another auth window.

I’ve been thinking of somehow integrating this with a database keeping
track of whether a user is logged in or not but I can’t figure it out
since the login still hinges upon the PHP_USER_AUTH and PHP_USER_PW that
the browser remembers. :frowning:

Winston wrote:
> Shena Delian O’Brien wrote
>
>>Is there a way I can force the browser to forget the l/p…?? and still
>>use the auth window?
>
>
> The window pops up when the browser receives a 401 (authorization required)
> response from the server. Every browser I have used will “forget” the
> username/password if it receives another 401 response (from the same
> directory, etc.). This can be achieved with a script that merely returns a
> 401 response. This will also result in the user’s browser popping up a new
> login box – don’t know of a way to avoid that.
>
> However, obviously, you have no control over what’s done on the browser
> side. Nothing obligates the author of browser software to make their
> software behave this way.
>
>

Re: browser security w/ l/p

On Tuesday 14 January 2003 01:35 pm, Shena Delian O’Brien wrote:

> I know. That’s crappy. I can get it to do the 401 but then instead of
> saying “you’ve logged out” it just pops up another auth window.
>
> I’ve been thinking of somehow integrating this with a database keeping
> track of whether a user is logged in or not but I can’t figure it out
> since the login still hinges upon the PHP_USER_AUTH and PHP_USER_PW that
> the browser remembers. :frowning:

OK this is cheating… but how about making a little pop-up html page that
just looks like a browser AUTH window?


John R. Marshall

TBA…

Re: browser security w/ l/p

“Shena Delian O’Brien” <shena@darklock.com> wrote in message
news:3E245885.1040002@darklock.com
> I know. That’s crappy. I can get it to do the 401 but then instead of
> saying “you’ve logged out” it just pops up another auth window.
>
> I’ve been thinking of somehow integrating this with a database keeping
> track of whether a user is logged in or not but I can’t figure it out
> since the login still hinges upon the PHP_USER_AUTH and PHP_USER_PW that
> the browser remembers. :frowning:

How about setting a timeout.

Adam

Re: browser security w/ l/p

How the heck do you do that with AUTH?

Adam O’Connor | t-shirtme.com wrote:
> “Shena Delian O’Brien” <shena@darklock.com> wrote in message
> news:3E245885.1040002@darklock.com
>
>>I know. That’s crappy. I can get it to do the 401 but then instead of
>>saying “you’ve logged out” it just pops up another auth window.
>>
>>I’ve been thinking of somehow integrating this with a database keeping
>>track of whether a user is logged in or not but I can’t figure it out
>>since the login still hinges upon the PHP_USER_AUTH and PHP_USER_PW that
>>the browser remembers. :frowning:
>
>
> How about setting a timeout.
>
> Adam
>
>

Re: browser security w/ l/p

“Shena Delian O’Brien” <shena@darklock.com> wrote in message
news:3E245BF1.6020609@darklock.com
> How the heck do you do that with AUTH?
>
Wouldnt it go in all your php pages?

Re: browser security w/ l/p

I’m not sure you quite understand the problem here. The browser
AUTH_USER and AUTH_PW doesn’t time out. My scripts have only that
information in which to determine whether a user has logged in or not. A
timeout isn’t going to do diddly if the browser remembers that because
people will just click on the login link again and zip right in
seemingly freshly logged in… Someone said changing the realm would
work, adding a timestamp to the realm… I’m going to try that.

Adam O’Connor | t-shirtme.com wrote:
> “Shena Delian O’Brien” <shena@darklock.com> wrote in message
> news:3E245BF1.6020609@darklock.com
>
>>How the heck do you do that with AUTH?
>>
>
> Wouldnt it go in all your php pages?
>
>

Re: browser security w/ l/p

Adam O’Connor wrote
> Wouldnt it go in all your php pages?
>

With AUTH, the browser remembers the username and password and submits them
with every http request. Nothing you do on the server side is guaranteed to
make the browser stop remembering the username and password.

Re: browser security w/ l/p

“Winston” <wd@winston.org> wrote in message
news:b01n6m$o4r$1@www.t-shirtcountdown.com
> Adam O’Connor wrote
> > Wouldnt it go in all your php pages?
> >
>
> With AUTH, the browser remembers the username and password and submits
them
> with every http request. Nothing you do on the server side is guaranteed
to
> make the browser stop remembering the username and password.

Sorry totally misunderstood what was up here. I’m in t-shirt printing mode
:slight_smile: left my programming nut at work 2 hours ago. lol