Re: AuthDBI logoff

2003-03-31 Thread Geoffrey Young 


Todd White wrote:
if there was a means by which i could strip out the Authorization header
in the client request, this would force a 401 response from the server
which would also satisfy my specific need.
is there a means by which i can manipulate an incoming request header from
the client?
Location /foo
PerlInitHandler 'sub { shift-headers_out-unset(Authorization); 0 }'
/Location
or something similar - you get the idea :)

--Geoff

RE: AuthDBI logoff

2003-03-31 Thread Frank Maas 
Hi Todd,

Trying to logoff using Basic Auth is becoming something of a faq...

 if there was a means by which i could strip out the Authorization
 header in the client request, this would force a 401 response from
 the server which would also satisfy my specific need.

I doubt if this will work. I suspect you want to strip this out when
the user does his logout-request (ie. a request for .../logout.html).
If you do this, the browser should present a popup-box to the user,
which he most probably would cancel. However, most browsers seem to
recollect their authorisation information they used before. Thus, as
soon as the user gets to a page that requests a login, the browser
tries with the user credentials that were kept and a popup is never
shown.

As someone already suggested: use a Cookie based algorithem. The 
cookie gives you the opportunity to follow the status of the 
user and effectively log him out. Another approach I once saw was
the use of a dedicated realm for that user. In stead of using a fixed
realm (ie. security domain) the domain is on a per session basis.
You should still fix the session someway (using the uri or a cookie),
but you can still stick with the 'Basic Auth' mechanism.

Hope this helps.

--Frank

AuthDBI logoff

2003-03-28 Thread Todd White 
i'm seeking a means by which i can allow my web users to logoff after
authenticating for access to restricted web space.  i realize that users
can just close their browser, but i'm seeking a solution that allows the
browser to remain open.  essentially, i want a button that a user can
click that causes the web browser to drop the credentials for the realm.

i'm considering writing an Apache handler and returning an
Apache::Constants constant.  but i'm wondering if anyone would have other
suggestions.

btw, Apache 1.3 / mod_perl 1