Bill Moseley wrote:
> > i'm using mod_perl authentication handler, where the user's
> > credentials are checked against a database and in the database i
> > have a flag which tells the login status (y|n), but aftr the user
> > logs out the status is changed to n , my problem is that after
> > logging out if the user goes one page back and submits the browser
> > sends the username and password again , and the status is changed
> > to y . Is there any means of removing the username and password
> > from the browsers cache.
>
> I guess I don't understand you setup. If you have a database entry
> that says they are logged out why don't you see this when they send
> their request and return a "Sorry, logged out" page?
The problem here is that the first basic authentication is not any
different from the next ones, so if he marks the user as logged out,
going to an page requiring authentication will simply mark the user as
logged in.
You could try various tricks still, with accordingly varying degrees of
success.
While you might have a number of pages protected by basic
authentication, make only *one* of them actually mark the user as logged
in. For example, that might be /login. An example user session might
look like this:
- go to /
- click on the "login" link, sending him to /login
- /login is protected, so browser queries the user for authentication
- /login sees the basic authentication header, marks the user as logged
in
- user do whatever he wants
- user is logged out
After this point, if the user goes to any protected web page, even
though the basic authentication header is actually correct, he should
get a AUTH_REQUIRED response, because he isn't marked as logged in by
the database. The only page with the power to make the user logged in is
/login.
There is a security problem with this. The user/password combo is *not*
cleared from the browser! If someone logs out, then a passer-by uses the
same browser to log into the site, he will not get any question asked
and will be identified as the previous user!
Basic authentication is annoying. They forgot to put a way to revoke the
thing when they designed it. Eh, that's life...
--
Pierre Phaneuf
http://www3.sympatico.ca/pphaneuf/
