W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2010

Re: Past Proposals for HTTP Auth Logout

From: Bil Corry <bil@corry.biz>
Date: Sun, 31 Jan 2010 12:52:23 -0800
Message-ID: <4B65ED87.6000509@corry.biz>
To: Tim <tim-projects@sentinelchicken.org>
CC: Yutaka OIWA <y.oiwa@aist.go.jp>, ietf-http-wg@w3.org
Tim wrote on 1/30/2010 7:39 PM: 
> Bil,
> 
>> Here's an example of using AJAX to log out a user via HTTP Auth:
>>
>> 	http://www.corry.biz/logout_demo/
> 
> Oh, nice, I hadn't thought of this before.  To summarize, you just set
> up a page within the protection space which always returns a 200 code
> and then access it via XMLHttpRequest with a bogus password.  What
> browsers have you tested this on?

Yes, when logging out, I use AJAX to "log in" the user with a bogus password.  That causes the browser to replace the real creds with bogus ones internally, and essentially causes the user to be logged out as the creds no longer work (it now sends the bogus creds).


> So it appears with logins and logouts, AJAX + response code hacks are
> possible to make this work right now.  I still think an HTTP-level
> session termination mechanism is worthwhile for user agents that don't
> want to rely on JavaScript, but for most developers, this could be the
> missing piece to make HTTP auth usable again.

I agree that having an explicit logout mechanism is preferable -- thank you for the work you're doing on it.  I only came to the above solution after many many hours of experimenting.  It works in FF3.5, FF3.6, IE8 and Safari 4.  I'm pretty sure it works with older versions too.  I haven't tried Chrome, Opera or Konqueror, not sure if it works with them or not.


- Bil
Received on Sunday, 31 January 2010 20:52:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:16 GMT