Inadequate Logout functionality in HTTP Authentication

This talks about solutions to the problem that HTTP Authentication provides inadequate logout facilities.

Problems

Problems at the browser end

• There is no "Log out" button for HTTP Authentication, so that the user can log out
• It would also be nice if there were a "Change User" button

Problems in the protocol

• There is no way for the website to tell the browser to log out
• There is no simple way of providing a timeout for HTTP Authentication

Solutions

Immediate solution at the browser end: Use the Web Developer toolbar

For the worried user, the Mozilla/Firefox/Seamonkey plugin called Web Developer. It has an option for clearing HTTP authentication (click "Miscellaneous", then "Clear Private Data", then "Clear HTTP Authentication").

Medium-term solutions at the browser end: Implement new buttons and menus

Both these solutions are stated with reference to Mozilla Seamonkey, but could easily be applied to any browser.

• Implement a "Log out" button in the browser that appears any time the user is viewing a page in an HTTP Authentication realm. One possible UI for this is presented at UI for HTTP Authentication logout idea. This is a good idea to help prevent phishing, as explained at HTTP authentication logout/stop phishing.
• In addition to eg. the "Cookie Manager" on the Tools menu of Seamonkey (these Tools menu items are the main reason I use Seamonkey instead of Firefox), add an "Authentication Manager", which manages all the currently logged-in realms, whether the user is currently viewing their pages or not

Immediate solutions to the protocol problems

Things that have helped in the past include the following:

Asking the browser to authenticate with an invalid HTTP authentication header

The response would look something like this:

 HTTP/1.0 401 Unauthorized 
 WWW-Authenticate: Invalid

Redirect with an invalid username and password

Set up a reserved invalid username (called "invalid" or "reset", or something). Set the password to (if possible) one that will never work, or (if necessary) one that will never be used. For example, say you set the username on the server to "invalid", and were unfortunately forced to set the password to "jE#9Bt!q" (rather than something that will never work). You would redirect to the username "invalid", with the password "invalid". This would mean that the user was logged out, but would unfortunately present them with another username/password prompt.

See Authenticate with Logout for details. This may only work in Mozilla-related browsers.

Internet Explorer: Use Javascript to clear the authentication cache

The javascript would look something like this:

 try {
   document.execCommand("ClearAuthenticationCache");
 } catch (exception) {
 }

Redirect to another page

The final page should:

1. Reset the username and password to be invalid
2. Check that the user was actually logged out, and send them somewhere appropriate if they were, and to a warning message if they weren't (which might advise them to clear it manually)

Long-term solution to the protocol problems: Change the RFC

Mr. Charles Miller, in his article Saving HTTP Authentication, suggests that the HTTP RFC be altered to:

• Allow timeouts
• Support a "Log out" button

I'd also suggest that the server be able to send the browser a "Log out" command via headers.