store.htaccess

.htaccess  时间:2021-01-11  阅读:()
BasicAuthenticationLogOutv1.
0June2002MavenSecurityConsulting,Inc.
POBox37635PMB50645Philadelphia,PA19101-0635http://www.
MavenSecurity.
comCopyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutIntroductionThispaperdescribeshowyoucouldclearHTTPBasicAuthenticationcredentialsfromabrowserwithoutrequiringtheusertoclosetheirbrowser.
ItshouldbenotedthattherearenoofficialHTTP/HTMLmechanismsforclearingusercredentialsfromauser'sbrowserwhenbasicauthenticationhasbeenused.
Therefore,themethoddescribedinthisdocumentisofferedasatechnicallyfeasiblesign-offmethod.
However,whetherthistechniqueis"user-friendly"andviableforlarge-scaleproductionsystemsisnotguaranteed.
Aswithanydesignchanges,performanceanduseracceptancetestingwillberequiredbeforedeployingintoproduction.
BackgroundWebbrowsersstoreBasicAuthenticationcredentialsinmemory.
Thecredentialsareassociatedwithaspecificwebsiteandrealmname.
Therealmnameisanarbitrarynamesetbythewebservertodefineaspecificareaofawebsite.
Thisisusefulifpartitioningasiteintodifferentareas.
Therealmnameisshowntotheuserwhentheyarepromptedtoentertheirusernameandpassword.
Figure1-SamplePromptforBasicAuthentication.
htaccessForexample,torestrictaccessforthedirectory/~christoonlytheuserChris,youcouldusea.
htaccessfile(forApache).
2Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutThe.
htaccessfilewouldlooksomethinglikethis:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserChrisLater,ifyouwantedtoclearChris'nameandpasswordfromthebrowser,youwillneedtocreatetwo"Logout"linksinseries(i.
e.
thefirstlinkleadstoapagethatcontainsthesecondlink).
Thefirstwouldleadtoapagethatinstructedtheuser(e.
g.
Chris)toclickonthelinkbelow(thesecondandlast"Logout"link)andenter"EXIT"astheusernameandpasswordwhenprompted.
Explaintotheuserhowthiswilleraseovertherealcredentialsinthebrowser'smemory,makingitimpossibleforsomeonetostealthemfromthePCatalatertime.
(Alternatively,thispagecansimplyexplainthatthebrowserneedstobeshutdowncompletelyinordertoclearthecredentials.
Therefore,therestofthispaperismoot.
)Now,whentheuserclicksonthissecondlinkitshouldpointtoadirectory(let'scallit/LOGOUT)thathasthefollowing.
htaccessfile:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserEXITThebrowseronlytracksthecredentialsbysitenameandrealmname(bothofwhicharethesameasbefore-"UserArea"istherealmnameinthisexample).
Therefore,thisnew"sign-on"attempt(fortheusernamedEXIT)willwriteovertheoldcredentialsinthebrowser'smemory.
Sinceonlytheusercalled"EXIT"(withapasswordof"EXIT")is3Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOut4Copyright2002–MavenSecurity.
AllRightsReservedacceptabletoenterthisdirectory(/LOGOUT),thispreventsChris(oranyotheruser)fromaccidentallyenteringavalidaccountnameandpassword.
Thewebsitewouldcontinuetoprompttheuseruntiltheyenteredthecorrectusernameandpassword(i.
e.
EXIT/EXIT).
Thismethodrequiresthecreationofauserwiththename"EXIT"andthepasswordas"EXIT".
Theindex.
htmlfileforthe/LOGOUTdirectoryisthedocumentthatwillbeshowntotheuseraftertheyenter"EXIT"intheBasicauthenticationdialogbox.
Therefore,theindex.
htmlfilecouldcontainsomesortof"success"message,suchas"Youhavesuccessfullyclearedyourusernameandpasswordfrommemory–thanksforusingBasicAuthentication;-).
"Unfortunately,thismethodrequirestheusertotakeseveralsteps.
Ifthesiteenforcesalockoutmechanismtopreventbrute-forceattacks(anditshould),thiscouldcauseproblemsifsomeoneaccidentally(orintentionally)lockstheEXITuser.
Therefore,thelockoutmechanismfortheEXITusershouldnotbeenforced.
Unfortunately,iftheuserleavestheircomputerunattended,forgettingtologout,theredoesnotappeartobeanywaytoremotelycleartheHTTPBasicauthenticationcredentialsfromthebrowser.
JavaorJavaScriptcouldbeusedtoautomaticallyrequestthelogoutURL,butitcannotentertherequiredusernameandpassword(i.
e.
,EXIT)intothedialogboxinordertowriteoverthecachedcredentials.

企鹅小屋6折年付240元起,美国CN2 GIA VPS促销,独享CPU,三网回程CN2 GIA

企鹅小屋怎么样?企鹅小屋最近针对自己的美国cn2 gia套餐推出了2个优惠码:月付7折和年付6折,独享CPU,100%性能,三网回程CN2 GIA网络,100Mbps峰值带宽,用完优惠码1G内存套餐是年付240元,线路方面三网回程CN2 GIA。如果新购IP不能正常使用,请在开通时间60分钟内工单VPS技术部门更换正常IP;特价主机不支持退款。点击进入:企鹅小屋官网地址企鹅小屋优惠码:年付6折优惠...

LOCVPS(29.6元/月)KVM架构 香港/美国机房全场8折

LOCVPS商家我们还是比较熟悉的老牌的国内服务商,包括他们还有其他的产品品牌。这不看到商家的信息,有新增KVM架构轻量/迷你套餐,提供的机房包括香港云地和美国洛杉矶,适用全场8折优惠,月付29.6元起。LOCVPS是一家成立于2011年的稳定老牌国人商家,主要从事XEN、KVM架构的国外VPS销售,主推洛杉矶MC、洛杉矶C3、香港邦联、香港沙田电信、香港大埔、日本东京、日本大阪、新加坡等数据中心...

Hostio€5/月KVM-2GB/25GB/5TB/荷兰机房

Hostio是一家成立于2006年的国外主机商,提供基于KVM架构的VPS主机,AMD EPYC CPU,NVMe硬盘,1-10Gbps带宽,最低月付5欧元起。商家采用自己的网络AS208258,宿主机采用2 x AMD Epyc 7452 32C/64T 2.3Ghz CPU,16*32GB内存,4个Samsung PM983 NVMe SSD,提供IPv4+IPv6。下面列出几款主机配置信息。...

.htaccess为你推荐
域名注册怎样进行域名注册美国免费主机免费主机可以建几个站?空间租用网站空间申请是免费的吗?还有就是使用租用空间,这种便宜空间好使吗?虚拟主机购买虚拟主机哪里购买的好?asp主机请问虚似主机和Asp服务器软件都是一个意思吗虚拟主机推荐谁可以给推荐下好用的虚拟主机免费vps服务器如何免费搭建自己的vps服务器香港虚拟空间香港虚拟主机空间哪家最好北京网站空间网站空间哪里的好,虚拟主机评测网哪里有可靠的免费虚拟主机
mysql虚拟主机 拜登买域名批特朗普 鲜果阅读 主机合租 空间论坛 网络空间租赁 酷番云 drupal安装 学生服务器 稳定空间 netvigator sonya linux服务器系统 ping值 服务器操作系统 傲盾代理 qq部落18-3 宿主机 qq空间论坛 web服务器配置 更多