|
 |
Nicolas Alvarez wrote:
>> How do I delete that password within the session, without restarting
>> the browser?
>
> "According to RFC 2616, existing browsers retain authentication
> information indefinitely.
Note that "indefinitely" does not mean "forever". It means you can't
control how long they save it.
Just like you can't control how long the browser caches user name /
password information for a forms-based login.
> This is a
> significant defect that requires further extensions to HTTP." --Wikipedia
Without someone explaining why it's a defect, I'm not sure this is so clear.
> "Both Netscape Navigator and Internet Explorer will clear the local
> browser window's authentication cache for the realm upon receiving a
> server response of 401.
Right. That's basically exactly how you're *supposed* to do it. "The
password you provided to get to this page is invalid. Please reenter it.
> BTW: I think most people use forms for login just because everybody else
> is doing it, not because they gave it any thought :)
Exactly my point, yes.
Plus, it adds the overhead of requiring SSL (which sucks up both compute
cycles and IP addresses) just so you can accept the password without
sending it in the clear, unlike HTTP AUTH.
But of course, again the whole argument that cookies are better than
AUTH is based on the flawed premise that you should be having "logins"
in protocols running over a stateless protocol like HTTP in the first place.
--
Darren New / San Diego, CA, USA (PST)
"That's pretty. Where's that?"
"It's the Age of Channelwood."
"We should go there on vacation some time."
Post a reply to this message
|
|
