Asked  8 Months ago    Answers:  5   Viewed   66 times

What is the correct way to log out of HTTP authentication protected folder?

There are workarounds that can achieve this, but they are potentially dangerous because they can be buggy or don't work in certain situations / browsers. That is why I am looking for correct and clean solution.

 Answers

42

Mu. No correct way exists, not even one that's consistent across browsers.

This is a problem that comes from the HTTP specification (section 15.6):

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1. does not provide a method for a server to direct clients to discard these cached credentials.

On the other hand, section 10.4.2 says:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

In other words, you may be able to show the login box again (as @Karsten says), but the browser doesn't have to honor your request - so don't depend on this (mis)feature too much.

Wednesday, March 31, 2021
 
MoarCodePlz
answered 8 Months ago
83

Run phpinfo(). if "Server API" is CGI/FCGI, you can pretty much forget it as there is no sensible way to use HTTP auth from PHP.

Friday, July 23, 2021
 
Wilk
answered 3 Months ago
11

The trick is to create a password manager, and then tell urllib about it. Usually, you won't care about the realm of the authentication, just the host/url part. For example, the following:

password_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
top_level_url = "http://example.com/"
password_mgr.add_password(None, top_level_url, 'user', 'password')
handler = urllib2.HTTPBasicAuthHandler(password_mgr)
opener = urllib2.build_opener(urllib2.HTTPHandler, handler)
request = urllib2.Request(url)

Will set the user name and password to every URL starting with top_level_url. Other options are to specify a host name or more complete URL here.

A good document describing this and more is at http://www.voidspace.org.uk/python/articles/urllib2.shtml#id6.

Sunday, August 1, 2021
 
Andrew Burton
answered 3 Months ago
16

It is possible to do HTTP Basic Authentication in pure classic ASP VBScript.

You will need something to decode base 64. Here is a pure VBScript implementation. You will also need to make sure that in your IIS config you turn off "Basic authentication" and "Integrated Windows authentication" as these will interfere with what you get back in the HTTP_AUTHORIZATION header.

Here is a sample implementation that just echoes back the user name and password.

<%@LANGUAGE="VBSCRIPT"%>

<!--#include file="decbase64.asp" -->

<%
Sub Unauth()
    Call Response.AddHeader("WWW-Authenticate", "Basic realm=""SomethingGoesHere""")
    Response.Status = "401 Unauthorized"
    Call Response.End()
End Sub

Dim strAuth
strAuth = Request.ServerVariables("HTTP_AUTHORIZATION")

If IsNull(strAuth) Or IsEmpty(strAuth) Or strAuth = "" Then
    Call Unauth
Else 
    %>
    <html>
    <body>
    <% 
        Dim aParts, aCredentials, strType, strBase64, strPlain, strUser, strPassword
        aParts = Split(strAuth, " ")
        If aParts(0) <> "Basic" Then
            Call Unauth
        End If
        strPlain = Base64Decode(aParts(1))
        aCredentials = Split(strPlain, ":")
    %>
    <%= Server.HTMLEncode(aCredentials(0) & " - " & aCredentials(1)) %>
    </body>
    </html>
    <%
End If
%>

Hooking the user name and password up to something meaningful is left as an exercise for the reader.

Monday, August 2, 2021
 
Andrei Urse
answered 3 Months ago
56

The web server is prompting you for a SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) token.

This is a Microsoft invention for negotiating a type of authentication to use for Web SSO (single-sign-on):

  • either NTLM
  • or Kerberos.

See:

  • Microsoft MSDN Library: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
  • RFC 4178: The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
Sunday, August 8, 2021
 
Tom Lilletveit
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
 
Share