Re: killing client popup window

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/04/05

• Next message: Sachin: "The request failed with HTTP status 401: Unauthorized"
• Previous message: BMeyer: "Re: Code runs until Basic Authentication or Digest Authentication"
• In reply to: s.chelliah_at_gmail.com: "killing client popup window"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 3 Nov 2005 21:19:30 -0800

I do not think this is a problem/bug in IE. The problem is that what you do
in step #2 is unspecified.

There is no public specification on how to "logout" or "expire" Basic
authentication. Unlike Windows authentication which ties the session to the
TCP connection or Kerberos which encrypts a timestamp in the authentication
token, Basic is weakly insufficient and has no such provision.

The way Basic authentication works, the server always requires the client to
send the Authorization: header which contains the username/password Base64
encoded (not encrypted at all).

So, once the client realizes that the server requires Basic authentication
and pops up that first login dialog asking for the username/password, on
subsequent requests it can optimize by pre-sending the Authorization header.

Now, tell me through what publicly defined mechanism can the server tell the
client to reset this also un-specified optimization.

It does not matter if Firefox/Netscape does what you want in response to
your custom server-side code; the whole thing you talk about is unspecified
behavior, so you have no basis to say whether something is "correct" or not.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
<s.chelliah@gmail.com> wrote in message
news:1130949567.118646.321770@g44g2000cwa.googlegroups.com...
I am using basic authentication using an embedded web server (not IIS)
and noticed a problem (bug?) with microsoft IE 6.0. Here are the steps
I did:
 1) when the authentication window pops up, log in using user name and
    password.
 2) Let the session expire (Using my code in the web server).
 3) Same authentication window pops up when I click on a link
 4) This time, click cancel or even kill the popup window
 5) click on a link
Using debug statements, I noticed that browser is sending username and
password!
Netscape and firebox correctly clears the cache when I click on the
cancel button  (on the popup window).
Is there a work around for this problem or Should I develop my own
login/logout
pages?
Thanks
Siva

---

• Next message: Sachin: "The request failed with HTTP status 401: Unauthorized"
• Previous message: BMeyer: "Re: Code runs until Basic Authentication or Digest Authentication"
• In reply to: s.chelliah_at_gmail.com: "killing client popup window"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)