BasicAuthenticationLogOutv1.
0June2002MavenSecurityConsulting,Inc.
POBox37635PMB50645Philadelphia,PA19101-0635http://www.
MavenSecurity.
comCopyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutIntroductionThispaperdescribeshowyoucouldclearHTTPBasicAuthenticationcredentialsfromabrowserwithoutrequiringtheusertoclosetheirbrowser.
ItshouldbenotedthattherearenoofficialHTTP/HTMLmechanismsforclearingusercredentialsfromauser'sbrowserwhenbasicauthenticationhasbeenused.
Therefore,themethoddescribedinthisdocumentisofferedasatechnicallyfeasiblesign-offmethod.
However,whetherthistechniqueis"user-friendly"andviableforlarge-scaleproductionsystemsisnotguaranteed.
Aswithanydesignchanges,performanceanduseracceptancetestingwillberequiredbeforedeployingintoproduction.
BackgroundWebbrowsersstoreBasicAuthenticationcredentialsinmemory.
Thecredentialsareassociatedwithaspecificwebsiteandrealmname.
Therealmnameisanarbitrarynamesetbythewebservertodefineaspecificareaofawebsite.
Thisisusefulifpartitioningasiteintodifferentareas.
Therealmnameisshowntotheuserwhentheyarepromptedtoentertheirusernameandpassword.
Figure1-SamplePromptforBasicAuthentication.
htaccessForexample,torestrictaccessforthedirectory/~christoonlytheuserChris,youcouldusea.
htaccessfile(forApache).
2Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutThe.
htaccessfilewouldlooksomethinglikethis:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserChrisLater,ifyouwantedtoclearChris'nameandpasswordfromthebrowser,youwillneedtocreatetwo"Logout"linksinseries(i.
e.
thefirstlinkleadstoapagethatcontainsthesecondlink).
Thefirstwouldleadtoapagethatinstructedtheuser(e.
g.
Chris)toclickonthelinkbelow(thesecondandlast"Logout"link)andenter"EXIT"astheusernameandpasswordwhenprompted.
Explaintotheuserhowthiswilleraseovertherealcredentialsinthebrowser'smemory,makingitimpossibleforsomeonetostealthemfromthePCatalatertime.
(Alternatively,thispagecansimplyexplainthatthebrowserneedstobeshutdowncompletelyinordertoclearthecredentials.
Therefore,therestofthispaperismoot.
)Now,whentheuserclicksonthissecondlinkitshouldpointtoadirectory(let'scallit/LOGOUT)thathasthefollowing.
htaccessfile:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserEXITThebrowseronlytracksthecredentialsbysitenameandrealmname(bothofwhicharethesameasbefore-"UserArea"istherealmnameinthisexample).
Therefore,thisnew"sign-on"attempt(fortheusernamedEXIT)willwriteovertheoldcredentialsinthebrowser'smemory.
Sinceonlytheusercalled"EXIT"(withapasswordof"EXIT")is3Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOut4Copyright2002–MavenSecurity.
AllRightsReservedacceptabletoenterthisdirectory(/LOGOUT),thispreventsChris(oranyotheruser)fromaccidentallyenteringavalidaccountnameandpassword.
Thewebsitewouldcontinuetoprompttheuseruntiltheyenteredthecorrectusernameandpassword(i.
e.
EXIT/EXIT).
Thismethodrequiresthecreationofauserwiththename"EXIT"andthepasswordas"EXIT".
Theindex.
htmlfileforthe/LOGOUTdirectoryisthedocumentthatwillbeshowntotheuseraftertheyenter"EXIT"intheBasicauthenticationdialogbox.
Therefore,theindex.
htmlfilecouldcontainsomesortof"success"message,suchas"Youhavesuccessfullyclearedyourusernameandpasswordfrommemory–thanksforusingBasicAuthentication;-).
"Unfortunately,thismethodrequirestheusertotakeseveralsteps.
Ifthesiteenforcesalockoutmechanismtopreventbrute-forceattacks(anditshould),thiscouldcauseproblemsifsomeoneaccidentally(orintentionally)lockstheEXITuser.
Therefore,thelockoutmechanismfortheEXITusershouldnotbeenforced.
Unfortunately,iftheuserleavestheircomputerunattended,forgettingtologout,theredoesnotappeartobeanywaytoremotelycleartheHTTPBasicauthenticationcredentialsfromthebrowser.
JavaorJavaScriptcouldbeusedtoautomaticallyrequestthelogoutURL,butitcannotentertherequiredusernameandpassword(i.
e.
,EXIT)intothedialogboxinordertowriteoverthecachedcredentials.
2021年各大云服务商竞争尤为激烈,因为云服务商家的竞争我们可以选择更加便宜的VPS或云服务器,这样成本更低,选择空间更大。但是,如果我们是建站用途或者是稳定项目的,不要太过于追求便宜VPS或便宜云服务器,更需要追求稳定和服务。不同的商家有不同的特点,而且任何商家和线路不可能一直稳定,我们需要做的就是定期观察和数据定期备份。下面,请跟云服务器网(yuntue.com)小编来看一下2021年国内/国...
云雀云(larkyun)当前主要运作国内线路的机器,最大提供1Gbps服务器,有云服务器(VDS)、也有独立服务器,对接国内、国外的效果都是相当靠谱的。此外,还有台湾hinet线路的动态云服务器和静态云服务器。当前,larkyun对广州移动二期正在搞优惠促销!官方网站:https://larkyun.top付款方式:支付宝、微信、USDT广移二期开售8折折扣码:56NZVE0YZN (试用于常州联...
BuyVM商家属于比较老牌的服务商,早年有提供低价年付便宜VPS主机还记得曾经半夜的时候抢购的。但是由于这个商家风控非常严格,即便是有些是正常的操作也会导致被封账户,所以后来陆续无人去理睬,估计被我们风控的抢购低价VPS主机已经手足无措。这两年商家重新调整,而且风控也比较规范,比如才入手他们新上线的流媒体优化VPS主机也没有不适的提示。目前,BuyVM商家有提供新泽西、迈阿密等四个机房的VPS主机...
.htaccess为你推荐
国外空间租用好用的国外空间虚拟主机代理虚拟主机代理哪家好,应该选择哪个家?深圳网站空间菜鸟问:网站空间如何选择,与空间的基本知识?虚拟主机评测网求推荐一些适合个人博客网站的虚拟主机的服务商青岛虚拟主机阿里云主机青岛好还是杭州好双线虚拟主机G型双线虚拟主机是什么意思org域名.com、.cn和.org的域名有什么区别?百度域名百度网址是啥?http://后面是啥,是不是how123? 请解答域名系统DNS域名系统的特点是什么域名论坛我的网站正在备案(个人),但是我的二级域名是论坛网站,对网站有影响吗?能否影响备案?
yardvps siteground isatap suspended 阿里云代金券 php免费空间 网通代理服务器 魔兽世界台湾服务器 免费ftp空间申请 空间出租 重庆双线服务器托管 1美金 上海电信测速 智能dns解析 永久免费空间 lamp是什么意思 国外免费云空间 黑科云 双十二促销 googlevoice 更多