Only real way to do this is to use a different URL (thus maintaining state)
for each session, and use that url as the realm.

Then, if the realm (==url) changes, the browser will "forget" about the
credentials, and prompt the user to reenter them.

MS has a kluge where they do this in outlook webmail, but it is highly
browser dependent. IE prompts to be reauthenticated, but Mozilla and
Konqueror don't, for example.

Rogan

> -----Original Message-----
> From: UDP 53 [mailto:udp53hotmail.com]
> Sent: 25 November 2002 01:13
> To: webappsecsecurityfocus.com
> Subject: HTTP authentication and session timeout
>
>
> I am looking at a web app which uses HTTP authentication
> (over SSL) for user
> login. No mechanism is employed for session state management,
> and the app
> relies upon the default browser behaviour (of resending the encoded
> authentication string with each subsequent request) in order
> to re-identify
> the user through their session. No form of timeout is enforced by the
> server.
>
> Does anyone know if it is possible to enforce any kind of server-side
> timeout in this set-up? I.e., is there a way for the server
> to instruct the
> browser to destroy the cached login credentials, so that the user must
> reauthenticate?
>
>
> UDP53
> =====
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]