Re: Logoff WEB server when using basic authentication
From: Aaron Margosis [MS] (aaronmaronline@microsoft.com)
Date: 05/06/02
- Next message: Stephen L Nicoud: "Re: Logoff WEB server when using basic authentication"
- Previous message: Scott Stahlman [MS]: "RE: iis lockdown tool"
- In reply to: Scott Stahlman [MS]: "RE: Logoff WEB server when using basic authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aaron Margosis [MS]" <aaronmaronline@microsoft.com> Date: Sun, 5 May 2002 21:37:34 -0400
Nope. Whether or how long there is an active logon session on the web
server or an active connection doesn't matter. The issue is that once a
browser collects and successfully uses credentials for a particular "realm",
the browser will use those credentials for all subsequent requests to the
same realm. (HTTP Basic credentials are submitted in an "Authorization"
HTTP header -- see http://www.ietf.org/rfc/rfc2617.txt.) As long as the
credentials are still good (e.g., the password wasn't changed), the
authentication will succeed. The problem is that the protocol provides no
way for the server to tell the browser, "dump the current credentials and
collect new ones".
"Scott Stahlman [MS]" <scotstah@Onlinemicrosoft.com> wrote in message
news:euOP2aE9BHA.2052@cpmsftngxa08...
> Even lowering your session timeouts will only drop the connection, but the
> user only has to hit F5 to reconnect with the same credentials, and the
> content stays resident in the browser anyway. The TTL for the Basic
> Authentication token to be cached is configurable in the registry.
> Lowering it to one second would only irritate your users! I'm sure there
> is a way to force users to be logged off and I bet some of our developers
> in their newsgroups would be able to point you in the right direction.
>
>
>
> A new Security patch is available for IIS. Please read the information
> available at:
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS02-018.asp
>
> Thanks,
> Scott
> IIS Support
>
>
> This posting is provided AS IS with no warranties, and confers no rights.
>
- Next message: Stephen L Nicoud: "Re: Logoff WEB server when using basic authentication"
- Previous message: Scott Stahlman [MS]: "RE: iis lockdown tool"
- In reply to: Scott Stahlman [MS]: "RE: Logoff WEB server when using basic authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
