[hunchentoot-devel] Authorization data being cached
Ron Garret
ron at flownet.com
Thu Jan 28 16:51:21 UTC 2010
On Jan 28, 2010, at 8:09 AM, Andreas Fuchs wrote:
> On Thu, Jan 28, 2010 at 15:57, Patrick May <patrick.may at mac.com> wrote:
>> I don't think this is a Hunchentoot issue, but I thought I'd ask here first. I've noticed that Safari seems to cache the basic authorization username and password, so that even if I call (remove-session *session*) on the server side, Safari just reloads the page.
>
> AFAIK, every browser does this. It's the only way HTTP Basic auth can
> work without being terribly annoying to the user.
>
>> Am I interpreting the behavior correctly? If so, how do I force a re-authorization?
>
> To "log out" the user, you need to return a 401 Unauthorized status
> (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), which
> will prompt the browser to display the user/password dialog box again.
> If the user presses Cancel enough times, they'll finally be logged
> out.
>
> It's terribly convoluted, but that's Basic auth for you /-:
Yes. That is why IMHO basic auth (and in fact all HTTP auth schemes) should never be used. They are fundamentally b0rken.
rg
More information about the Tbnl-devel
mailing list