store.htaccess

.htaccess  时间:2021-01-11  阅读:()
BasicAuthenticationLogOutv1.
0June2002MavenSecurityConsulting,Inc.
POBox37635PMB50645Philadelphia,PA19101-0635http://www.
MavenSecurity.
comCopyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutIntroductionThispaperdescribeshowyoucouldclearHTTPBasicAuthenticationcredentialsfromabrowserwithoutrequiringtheusertoclosetheirbrowser.
ItshouldbenotedthattherearenoofficialHTTP/HTMLmechanismsforclearingusercredentialsfromauser'sbrowserwhenbasicauthenticationhasbeenused.
Therefore,themethoddescribedinthisdocumentisofferedasatechnicallyfeasiblesign-offmethod.
However,whetherthistechniqueis"user-friendly"andviableforlarge-scaleproductionsystemsisnotguaranteed.
Aswithanydesignchanges,performanceanduseracceptancetestingwillberequiredbeforedeployingintoproduction.
BackgroundWebbrowsersstoreBasicAuthenticationcredentialsinmemory.
Thecredentialsareassociatedwithaspecificwebsiteandrealmname.
Therealmnameisanarbitrarynamesetbythewebservertodefineaspecificareaofawebsite.
Thisisusefulifpartitioningasiteintodifferentareas.
Therealmnameisshowntotheuserwhentheyarepromptedtoentertheirusernameandpassword.
Figure1-SamplePromptforBasicAuthentication.
htaccessForexample,torestrictaccessforthedirectory/~christoonlytheuserChris,youcouldusea.
htaccessfile(forApache).
2Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOutThe.
htaccessfilewouldlooksomethinglikethis:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserChrisLater,ifyouwantedtoclearChris'nameandpasswordfromthebrowser,youwillneedtocreatetwo"Logout"linksinseries(i.
e.
thefirstlinkleadstoapagethatcontainsthesecondlink).
Thefirstwouldleadtoapagethatinstructedtheuser(e.
g.
Chris)toclickonthelinkbelow(thesecondandlast"Logout"link)andenter"EXIT"astheusernameandpasswordwhenprompted.
Explaintotheuserhowthiswilleraseovertherealcredentialsinthebrowser'smemory,makingitimpossibleforsomeonetostealthemfromthePCatalatertime.
(Alternatively,thispagecansimplyexplainthatthebrowserneedstobeshutdowncompletelyinordertoclearthecredentials.
Therefore,therestofthispaperismoot.
)Now,whentheuserclicksonthissecondlinkitshouldpointtoadirectory(let'scallit/LOGOUT)thathasthefollowing.
htaccessfile:AuthTypeBasicAuthNameUserAreaAuthUserFile/usr/local/apache/conf/usersRequireuserEXITThebrowseronlytracksthecredentialsbysitenameandrealmname(bothofwhicharethesameasbefore-"UserArea"istherealmnameinthisexample).
Therefore,thisnew"sign-on"attempt(fortheusernamedEXIT)willwriteovertheoldcredentialsinthebrowser'smemory.
Sinceonlytheusercalled"EXIT"(withapasswordof"EXIT")is3Copyright2002–MavenSecurity.
AllRightsReservedBasicAuthenticationLogOut4Copyright2002–MavenSecurity.
AllRightsReservedacceptabletoenterthisdirectory(/LOGOUT),thispreventsChris(oranyotheruser)fromaccidentallyenteringavalidaccountnameandpassword.
Thewebsitewouldcontinuetoprompttheuseruntiltheyenteredthecorrectusernameandpassword(i.
e.
EXIT/EXIT).
Thismethodrequiresthecreationofauserwiththename"EXIT"andthepasswordas"EXIT".
Theindex.
htmlfileforthe/LOGOUTdirectoryisthedocumentthatwillbeshowntotheuseraftertheyenter"EXIT"intheBasicauthenticationdialogbox.
Therefore,theindex.
htmlfilecouldcontainsomesortof"success"message,suchas"Youhavesuccessfullyclearedyourusernameandpasswordfrommemory–thanksforusingBasicAuthentication;-).
"Unfortunately,thismethodrequirestheusertotakeseveralsteps.
Ifthesiteenforcesalockoutmechanismtopreventbrute-forceattacks(anditshould),thiscouldcauseproblemsifsomeoneaccidentally(orintentionally)lockstheEXITuser.
Therefore,thelockoutmechanismfortheEXITusershouldnotbeenforced.
Unfortunately,iftheuserleavestheircomputerunattended,forgettingtologout,theredoesnotappeartobeanywaytoremotelycleartheHTTPBasicauthenticationcredentialsfromthebrowser.
JavaorJavaScriptcouldbeusedtoautomaticallyrequestthelogoutURL,butitcannotentertherequiredusernameandpassword(i.
e.
,EXIT)intothedialogboxinordertowriteoverthecachedcredentials.

无忧云:服务器100G高防云服务器,bgpBGP云,洛阳BGP云服务器2核2G仅38.4元/月起

无忧云怎么样?无忧云值不值得购买?无忧云,无忧云是一家成立于2017年的老牌商家旗下的服务器销售品牌,现由深圳市云上无忧网络科技有限公司运营,是正规持证IDC/ISP/IRCS商家,主要销售国内、中国香港、国外服务器产品,线路有腾讯云国外线路、自营香港CN2线路等,都是中国大陆直连线路,非常适合免备案建站业务需求和各种负载较高的项目,同时国内服务器也有多个BGP以及高防节点。目前,四川雅安机房,4...

DiyVM(50元起)老牌商家,香港沙田CN2直连vps/不限流量/五折终身优惠

diyvm怎么样?diyvm是一家国内成立时间比较久的主机商家了,大约在6年前站长曾经用过他家的美国机房的套餐,非常稳定,适合做站,目前商家正在针对香港沙田机房的VPS进行促销,给的是五折优惠,续费同价,香港沙田机房走的是CN2直连的线路,到大陆地区的速度非常好,DiyVM商家采用小带宽不限流量的形式,带宽2Mbps起步,做站完全够用,有需要的朋友可以入手。diyvm优惠码:五折优惠码:OFF50...

gcorelabs:美国GPU服务器,8张RTX2080Ti,2*Silver-4214/256G内存/1T SSD/

gcorelabs提供美国阿什本数据中心的GPU服务器(显卡服务器),默认给8路RTX2080Ti,服务器网卡支持2*10Gbps(ANX),CPU为双路Silver-4214(24核48线程),256G内存,1Gbps独享带宽仅需150欧元、10bps带宽仅需600欧元,不限流量随便跑吧。 官方网站 :https://gcorelabs.com/hosting/dedicated/gpu/ ...

.htaccess为你推荐
免费注册域名如何注册免费域名虚拟主机购买虚拟主机需要购买吗?我想自己做个网站,只买了域名了,请问还需要怎么做呢?域名备案查询如何查询自己域名是否备案,怎么查询备案号?国外虚拟空间哪里买的100m海外虚拟空间便宜稳定?免费国外空间免费国外全能空间申请网站域名各种网站的域名个人虚拟主机个人商城要选多大的虚拟主机?免备案虚拟空间虚拟免费空间网站怎么备案免费网站空间申请申请免费空间的网站香港虚拟主机香港虚拟主机多少钱一年呢?
网络域名 域名中介 已备案域名 vps教程 hostmaster technetcal godaddy优惠码 抢票工具 中国电信测速112 jsp空间 工作站服务器 免费高速空间 最好的qq空间 支付宝扫码领红包 云营销系统 免费asp空间 服务器防火墙 阵亡将士纪念日 黑科云 netvigator 更多