Inadequate Logout functionality in HTTP Authentication

  • warning: Parameter 1 to domain_domainload() expected to be a reference, value given in /fs3b/jdarx/public/includes/module.inc on line 406.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • : Function ereg() is deprecated in /fs3b/jdarx/public/includes/file.inc on line 650.
  • Loading of Text_Wiki class from PEAR failed. Check your filter settings.
  • warning: Parameter 1 to domain_domainload() expected to be a reference, value given in /fs3b/jdarx/public/includes/module.inc on line 406.
This talks about solutions to the problem that HTTP Authentication provides inadequate logout facilities.  

Table of Contents

==Problems== ===Problems at the browser end=== * There is no "Log out" button for HTTP Authentication, so that the user can log out * It would also be nice if there were a "Change User" button ===Problems in the protocol=== * There is no way for the website to tell the browser to log out * There is no simple way of providing a timeout for HTTP Authentication ==Solutions== ===Immediate solution at the browser end: Use the Web Developer toolbar=== For the worried user, the Mozilla/Firefox/Seamonkey plugin called [http://webdeveloper.mozdev.org/ Web Developer]. It has an option for clearing HTTP authentication (click "Miscellaneous", then "Clear Private Data", then "Clear HTTP Authentication"). ===Medium-term solutions at the browser end: Implement new buttons and menus=== Both these solutions are stated with reference to Mozilla Seamonkey, but could easily be applied to any browser. * Implement a "Log out" button in the browser that appears any time the user is viewing a page in an HTTP Authentication realm. One possible UI for this is presented at [http://dolphinling.net/firefox/httpauthui UI for HTTP Authentication logout idea]. This is a good idea to help prevent phishing, as explained at [http://blog.dolphinling.net/2005/04/http-authentication-logoutstop-phishing/ HTTP authentication logout/stop phishing]. * In addition to eg. the "Cookie Manager" on the Tools menu of Seamonkey (these Tools menu items are the main reason I use Seamonkey instead of Firefox), add an "Authentication Manager", which manages all the currently logged-in realms, whether the user is currently viewing their pages or not ===Immediate solutions to the protocol problems=== Things that have helped in the past include the following: ====Asking the browser to authenticate with an invalid HTTP authentication header==== The response would look something like this: HTTP/1.0 401 Unauthorized WWW-Authenticate: Invalid ====Redirect with an invalid username and password==== Set up a reserved invalid username (called "invalid" or "reset", or something). Set the password to (if possible) one that will never work, or (if necessary) one that will never be used. For example, say you set the username on the server to "invalid", and were unfortunately forced to set the password to "jE#9Bt!q" (rather than something that will never work). You would redirect to the username "invalid", with the password "invalid". This would mean that the user was logged out, but would unfortunately present them with another username/password prompt. See [http://www.jonasjohn.de/snippets/php/authenticate-with-logout.htm Authenticate with Logout] for details. This may only work in Mozilla-related browsers. ====Internet Explorer: Use Javascript to clear the authentication cache==== The javascript would look something like this: try { document.execCommand("ClearAuthenticationCache"); } catch (exception) { } ====Redirect to another page==== The final page should: # Reset the username and password to be invalid # Check that the user was actually logged out, and send them somewhere appropriate if they were, and to a warning message if they weren't (which might advise them to clear it manually) ===Long-term solution to the protocol problems: Change the RFC=== Mr. Charles Miller, in his article [http://fishbowl.pastiche.org/2003/12/30/saving_http_authentication Saving HTTP Authentication], suggests that the HTTP RFC be altered to: * Allow timeouts * Support a "Log out" button I'd also suggest that the server be able to send the browser a "Log out" command via headers.