BasicAuthenticationLogOutv1.
0June2002MavenSecurityConsulting,Inc.
POBox37635PMB50645Philadelphia,PA19101-0635http://www.
MavenSecurity.
comCopyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutIntroductionThispaperdescribeshowyoucouldclearHTTPBasicAuthenticationcredentialsfromabrowserwithoutrequiringtheusertoclosetheirbrowser.
ItshouldbenotedthattherearenoofficialHTTP/HTMLmechanismsforclearingusercredentialsfromauser'sbrowserwhenbasicauthenticationhasbeenused.
Therefore,themethoddescribedinthisdocumentisofferedasatechnicallyfeasiblesign-offmethod.
However,whetherthistechniqueis"user-friendly"andviableforlarge-scaleproductionsystemsisnotguaranteed.
Aswithanydesignchanges,performanceanduseracceptancetestingwillberequiredbeforedeployingintoproduction.
BackgroundWebbrowsersstoreBasicAuthenticationcredentialsinmemory.
Thecredentialsareassociatedwithaspecificwebsiteandrealmname.
Therealmnameisanarbitrarynamesetbythewebservertodefineaspecificareaofawebsite.
Thisisusefulifpartitioningasiteintodifferentareas.
Therealmnameisshowntotheuserwhentheyarepromptedtoentertheirusernameandpassword.
Figure1-SamplePromptforBasicAuthentication.
htaccessForexample,torestrictaccessforthedirectory/~christoonlytheuserChris,youcouldusea.
htaccessfile(forApache).
2Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutThe.
htaccessfilewouldlooksomethinglikethis:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserChrisLater,ifyouwantedtoclearChris'nameandpasswordfromthebrowser,youwillneedtocreatetwo"Logout"linksinseries(i.
e.
thefirstlinkleadstoapagethatcontainsthesecondlink).
Thefirstwouldleadtoapagethatinstructedtheuser(e.
g.
Chris)toclickonthelinkbelow(thesecondandlast"Logout"link)andenter"EXIT"astheusernameandpasswordwhenprompted.
Explaintotheuserhowthiswilleraseovertherealcredentialsinthebrowser'smemory,makingitimpossibleforsomeonetostealthemfromthePCatalatertime.
(Alternatively,thispagecansimplyexplainthatthebrowserneedstobeshutdowncompletelyinordertoclearthecredentials.
Therefore,therestofthispaperismoot.
)Now,whentheuserclicksonthissecondlinkitshouldpointtoadirectory(let'scallit/LOGOUT)thathasthefollowing.
htaccessfile:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserEXITThebrowseronlytracksthecredentialsbysitenameandrealmname(bothofwhicharethesameasbefore-"UserArea"istherealmnameinthisexample).
Therefore,thisnew"sign-on"attempt(fortheusernamedEXIT)willwriteovertheoldcredentialsinthebrowser'smemory.
Sinceonlytheusercalled"EXIT"(withapasswordof"EXIT")is3Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOut4Copyright2002–MavenSecurity.
AllRightsReservedacceptabletoenterthisdirectory(/LOGOUT),thispreventsChris(oranyotheruser)fromaccidentallyenteringavalidaccountnameandpassword.
Thewebsitewouldcontinuetoprompttheuseruntiltheyenteredthecorrectusernameandpassword(i.
e.
EXIT/EXIT).
Thismethodrequiresthecreationofauserwiththename"EXIT"andthepasswordas"EXIT".
Theindex.
htmlfileforthe/LOGOUTdirectoryisthedocumentthatwillbeshowntotheuseraftertheyenter"EXIT"intheBasicauthenticationdialogbox.
Therefore,theindex.
htmlfilecouldcontainsomesortof"success"message,suchas"Youhavesuccessfullyclearedyourusernameandpasswordfrommemory–thanksforusingBasicAuthentication;-).
"Unfortunately,thismethodrequirestheusertotakeseveralsteps.
Ifthesiteenforcesalockoutmechanismtopreventbrute-forceattacks(anditshould),thiscouldcauseproblemsifsomeoneaccidentally(orintentionally)lockstheEXITuser.
Therefore,thelockoutmechanismfortheEXITusershouldnotbeenforced.
Unfortunately,iftheuserleavestheircomputerunattended,forgettingtologout,theredoesnotappeartobeanywaytoremotelycleartheHTTPBasicauthenticationcredentialsfromthebrowser.
JavaorJavaScriptcouldbeusedtoautomaticallyrequestthelogoutURL,butitcannotentertherequiredusernameandpassword(i.
e.
,EXIT)intothedialogboxinordertowriteoverthecachedcredentials.
SoftShellWeb是一家2019年成立的国外主机商,商家在英格兰注册,提供的产品包括虚拟主机和VPS,其中VPS基于KVM架构,采用SSD硬盘,提供IPv4+IPv6,可选美国(圣何塞)、荷兰(阿姆斯特丹)和台湾(台北)等机房。商家近期推出台湾和荷兰年付特价VPS主机,其中台湾VPS最低年付49美元,荷兰VPS年付24美元起。台湾VPSCPU:1core内存:2GB硬盘:20GB SSD流量...
RAKsmart发布了新年钜惠活动,即日起到2月28日,商家每天推出限量服务器秒杀,美国服务器每月30美元起,新上了韩国服务器、GPU服务器、香港/日本/美国常规+站群服务器、1-10Gbps不限流量大带宽服务器等大量库存;VPS主机全场提供7折优惠码,同时针对部分特惠套餐无码直购每月仅1.99美元,支持使用PayPal或者支付宝等方式付款,有中英文网页及客服支持。爆款秒杀10台/天可选精品网/大...
819云互联 在本月发布了一个购买香港,日本独立服务器的活动,相对之前的首月活动性价比更高,最多只能享受1个月的活动 续费价格恢复原价 是有些颇高 这次819云互联与机房是合作伙伴 本次拿到机房 活动7天内购买独立服务器后期的长期续费价格 加大力度 确实来说这次的就可以买年付或者更长时间了…本次是5个机房可供选择,独立服务器最低默认是50M带宽,不限制流量,。官网:https://ww...
.htaccess为你推荐
域名代理域名代理能转到钱吗,如何赚钱啊?能够成为国外的域名代理商吗?已备案域名查询如何查询网站的域名是否已经备案vps主机什么是vps主机中文域名注册查询怎么查我们公司的中文域名是被谁注册的?虚拟主机代理哪家虚拟主机商的代理比较好虚拟主机代理谁给推荐个好的虚拟主机无限级代理com域名注册com域名注册要注意哪些情况啊?我想现在注册一个com域名~代理主机电脑店卖组装机,怎么赚钱。php虚拟空间php虚拟主机空间如何连接mysql免费网站空间有没有免费的网站空间推荐
域名服务器上存放着internet主机的 新网域名解析 贝锐花生壳域名 万网域名证书查询 132邮箱 mach5 好看的桌面背景大图 华为云主机 服务器怎么绑定域名 windows2003iso 老左正传 129邮箱 稳定免费空间 怎么建立邮箱 域名与空间 帽子云排名 香港ip 免费获得q币 512内存 镇江高防服务器 更多