|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> Exactly. Browsers give no UI to stop sending the login information to
> the server.
Firefox certainly does. It's in the exact same panel you go to to clear
out the "don't save passwords" for the more common "fill in this form to
get a cookie" kind of tracking.
--
Darren New / San Diego, CA, USA (PST)
"That's pretty. Where's that?"
"It's the Age of Channelwood."
"We should go there on vacation some time."
Post a reply to this message
|
|
| |
| |
|
|
From: Nicolas Alvarez
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 16:12:26
Message: <47f699ba@news.povray.org>
|
|
|
| |
| |
|
|
> Nicolas Alvarez wrote:
>> Exactly. Browsers give no UI to stop sending the login information to
>> the server.
>
> Firefox certainly does. It's in the exact same panel you go to to clear
> out the "don't save passwords" for the more common "fill in this form to
> get a cookie" kind of tracking.
You mean Remove private data, Authenticated sessions? That's like
telling people to manually delete cookies from all websites when they
want to log out from a single place, instead of a "logout" button.
How do I log out of *one* website?
How can a website automatically log you out after inactivity? (cookies
have expiration date)
Isn't it safer to send a cookie with a session ID back and forth than
sending your actual username and password on every page request?
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 17:01:27
Message: <47f6a537@news.povray.org>
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> You mean Remove private data, Authenticated sessions?
No. Tools->Options->Privacy->Passwords. Exactly where you'd expect it.
Authenticated sessions are SSL cookies, nothing to do with passwords.
> How do I log out of *one* website?
Tools->Options->Privacy->Passwords - remove the password for that site.
> How can a website automatically log you out after inactivity? (cookies
> have expiration date)
With the normal HTTP login mechanism, you're logging in every time you
fetch a page, so the question is meaningless.
If you're inactive, why does the web site need to "log you out"? Why
can't it just discard your session, empty your shopping cart, or
whatever else it does when you normally "log out"?
How does the web site keep you from saving the password in Firefox for
more than 30 minutes, forcing you to retype your user name and password
if you're idle too long? How does the web site keep you from leaving
the password-protected page on your screen after too much inactivity?
BTW, cookie expiration is enforced by the browser, not the server. Try
expiring a cookie on most cell phones. Hint: It doesn't work.
> Isn't it safer to send a cookie with a session ID back and forth than
> sending your actual username and password on every page request?
No. Cookies can be hijacked. MD5 message digests can't.
--
Darren New / San Diego, CA, USA (PST)
"That's pretty. Where's that?"
"It's the Age of Channelwood."
"We should go there on vacation some time."
Post a reply to this message
|
|
| |
| |
|
|
From: Gail Shaw
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 17:12:49
Message: <47f6a7e1@news.povray.org>
|
|
|
| |
| |
|
|
"Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
news:47f6484e@news.povray.org...
> > Agreed. If it's very small we probably wouldn't even notice.
>
> If it's big, you think we would notice either? :)
Probably. The gravitational effects would be pretty noticable, especially
when it gets close. Depends how massive the thing is how bad it would be.
Anywhere close to even stellar mass and it wouldn't have to come within the
oort clous to have some very nasty effects
Post a reply to this message
|
|
| |
| |
|
|
From: Nicolas Alvarez
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 17:26:43
Message: <47f6ab23$1@news.povray.org>
|
|
|
| |
| |
|
|
> Nicolas Alvarez wrote:
>> You mean Remove private data, Authenticated sessions?
>
> No. Tools->Options->Privacy->Passwords. Exactly where you'd expect it.
There is no "passwords" under "privacy". Passwords on the "security" tab
are the saved passwords. When you login via HTTP auth, and tell Firefox
*not* to save the password, it still keeps it for the current browser
session (otherwise it would keep asking you for the password on every
page request).
How do I delete that password within the session, without restarting the
browser? I doubt it's in the saved passwords list; that's for
auto-filling forms (or http auth dialogs), not for things within the
session.
And anyway, users would want something as simple as the "logout" button
on HTML forms, not getting into the browser options.
> BTW, cookie expiration is enforced by the browser, not the server.
Session usually expires server-side at the same time as the client-side
cookie. There are no sessions with HTTP auth, nothing you can expire.
One method I have seen for "expiring session on inactivity" (or on user
request, via a link) with HTTP auth is returning a 401 as if the
password was wrong, which forces most browsers to ask you the login info
again.
Post a reply to this message
|
|
| |
| |
|
|
From: Nicolas Alvarez
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 17:33:27
Message: <47f6acb7$1@news.povray.org>
|
|
|
| |
| |
|
|
> How do I delete that password within the session, without restarting the
> browser?
"According to RFC 2616, existing browsers retain authentication
information indefinitely. HTTP does not provide a method for a server to
direct clients to discard these cached credentials. This is a
significant defect that requires further extensions to HTTP." --Wikipedia
"The authentication is kept in the browser (client side), so there's
really no way to log out the user on the server side AFAIK. The user
will have to close the browser to end the session. I think there are
hacks around this issue, but I haven't looked into them." --a Ruby on
Rails blog post
"Both Netscape Navigator and Internet Explorer will clear the local
browser window's authentication cache for the realm upon receiving a
server response of 401. This can effectively 'log out' a user, forcing
them to re-enter their username and password. Some people use this to
'time out' logins, or provide a 'log-out' button." --PHP manual
BTW: I think most people use forms for login just because everybody else
is doing it, not because they gave it any thought :)
Post a reply to this message
|
|
| |
| |
|
|
From: Nicolas Alvarez
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 17:34:11
Message: <47f6ace3@news.povray.org>
|
|
|
| |
| |
|
|
Gail Shaw escribió:
> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
>> Bill Pragnell escribi�:
>>> Agreed. If it's very small we probably wouldn't even notice.
>> If it's big, you think we would notice either? :)
>
> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.
>
> Anywhere close to even stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects
I meant, if it eats the Earth within a second and everyone gets killed
instantly, who would "notice"?
Post a reply to this message
|
|
| |
| |
|
|
From: Warp
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 19:22:21
Message: <47f6c63b@news.povray.org>
|
|
|
| |
| |
|
|
Gail Shaw <initialsurname@sentech sa dot com> wrote:
> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
> > Bill Pragnell escribi?:
> > > Agreed. If it's very small we probably wouldn't even notice.
> >
> > If it's big, you think we would notice either? :)
> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.
> Anywhere close to even stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects
I said in my original post "travelling at almost c towards us".
Pretty hard to notice.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 19:29:09
Message: <47f6c7d5@news.povray.org>
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> There is no "passwords" under "privacy".
You should learn to qualify your statements, like
There is no "passwords" under "privacy" on my version of this program.
Certainly on Firefox 1.5.0.12 there is, and it holds the "auth"
passwords right next to the "<input type=password" passwords.
> When you login via HTTP auth, and tell Firefox
> *not* to save the password, it still keeps it for the current browser
> session (otherwise it would keep asking you for the password on every
> page request).
Right. Same with cookies, see.
> How do I delete that password within the session, without restarting the
> browser?
Uh, why would you? Don't go back to that site. :-)
Granted, if you want to log in as someone else, that could be mildly
problematic. I don't see this as a normal use case for 99% of the sites
I see using the kludged cookie-based logins, tho.
> And anyway, users would want something as simple as the "logout" button
> on HTML forms, not getting into the browser options.
There's no reason it couldn't be easier to do from the browser, yes.
> Session usually expires server-side at the same time as the client-side
> cookie. There are no sessions with HTTP auth, nothing you can expire.
Of course there is. You're just not thinking. The server knows how long
it has been since last you came back. After that time elapses, clean up
whatever you'd clean up if the user hit the "logout" button.
In other words, no, cookies do not "expire" on the server side, since
the server doesn't have a cookie. A cookie is a way for the server to
store something at the browser. The "something" is what expires. Hence,
go ahead, expire that "something".
> One method I have seen for "expiring session on inactivity" (or on user
> request, via a link) with HTTP auth is returning a 401 as if the
> password was wrong, which forces most browsers to ask you the login info
> again.
Or just return a 403 *once* even for the *right* password. Or change
the realm to be session-specific.
--
Darren New / San Diego, CA, USA (PST)
"That's pretty. Where's that?"
"It's the Age of Channelwood."
"We should go there on vacation some time."
Post a reply to this message
|
|
| |
| |
|
|
From: Darren New
Subject: Re: As if we didn't have enough to worry about...
Date: 4 Apr 2008 19:32:05
Message: <47f6c885@news.povray.org>
|
|
|
| |
| |
|
|
Darren New wrote:
> Or just return a 403 *once* even for the *right* password.
Sorry. Obviously I meant 401 there.
--
Darren New / San Diego, CA, USA (PST)
"That's pretty. Where's that?"
"It's the Age of Channelwood."
"We should go there on vacation some time."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |