Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : As if we didn't have enough to worry about... : Re: As if we didn't have enough to worry about... Server Time
1 Oct 2024 18:27:28 EDT (-0400)
  Re: As if we didn't have enough to worry about...  
From: Darren New
Date: 4 Apr 2008 19:29:09
Message: <47f6c7d5@news.povray.org>
 
Nicolas Alvarez wrote:
> There is no "passwords" under "privacy". 

You should learn to qualify your statements, like
   There is no "passwords" under "privacy" on my version of this program.

Certainly on Firefox 1.5.0.12 there is, and it holds the "auth" 
passwords right next to the "<input type=password" passwords.

> When you login via HTTP auth, and tell Firefox 
> *not* to save the password, it still keeps it for the current browser 
> session (otherwise it would keep asking you for the password on every 
> page request).

Right. Same with cookies, see.

> How do I delete that password within the session, without restarting the 
> browser?

Uh, why would you? Don't go back to that site. :-)

Granted, if you want to log in as someone else, that could be mildly 
problematic.  I don't see this as a normal use case for 99% of the sites 
I see using the kludged cookie-based logins, tho.

> And anyway, users would want something as simple as the "logout" button 
> on HTML forms, not getting into the browser options.

There's no reason it couldn't be easier to do from the browser, yes.

> Session usually expires server-side at the same time as the client-side 
> cookie. There are no sessions with HTTP auth, nothing you can expire.

Of course there is. You're just not thinking.  The server knows how long 
it has been since last you came back.  After that time elapses, clean up 
whatever you'd clean up if the user hit the "logout" button.

In other words, no, cookies do not "expire" on the server side, since 
the server doesn't have a cookie. A cookie is a way for the server to 
store something at the browser. The "something" is what expires. Hence, 
go ahead, expire that "something".

> One method I have seen for "expiring session on inactivity" (or on user 
> request, via a link) with HTTP auth is returning a 401 as if the 
> password was wrong, which forces most browsers to ask you the login info 
> again.

Or just return a 403 *once* even for the *right* password.  Or change 
the realm to be session-specific.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.