Nicolas Alvarez wrote:
> Exactly. Browsers give no UI to stop sending the login information to 
> the server.

Firefox certainly does. It's in the exact same panel you go to to clear 
out the "don't save passwords" for the more common "fill in this form to 
get a cookie" kind of tracking.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

> Nicolas Alvarez wrote:
>> Exactly. Browsers give no UI to stop sending the login information to 
>> the server.
> 
> Firefox certainly does. It's in the exact same panel you go to to clear 
> out the "don't save passwords" for the more common "fill in this form to 
> get a cookie" kind of tracking.

You mean Remove private data, Authenticated sessions? That's like 
telling people to manually delete cookies from all websites when they 
want to log out from a single place, instead of a "logout" button.

How do I log out of *one* website?

How can a website automatically log you out after inactivity? (cookies 
have expiration date)

Isn't it safer to send a cookie with a session ID back and forth than 
sending your actual username and password on every page request?

Post a reply to this message

Nicolas Alvarez wrote:
> You mean Remove private data, Authenticated sessions?

No. Tools->Options->Privacy->Passwords.  Exactly where you'd expect it.

Authenticated sessions are SSL cookies, nothing to do with passwords.

> How do I log out of *one* website?

Tools->Options->Privacy->Passwords - remove the password for that site.

> How can a website automatically log you out after inactivity? (cookies 
> have expiration date)

With the normal HTTP login mechanism, you're logging in every time you 
fetch a page, so the question is meaningless.

If you're inactive, why does the web site need to "log you out"?  Why 
can't it just discard your session, empty your shopping cart, or 
whatever else it does when you normally "log out"?

How does the web site keep you from saving the password in Firefox for 
more than 30 minutes, forcing you to retype your user name and password 
if you're idle too long?  How does the web site keep you from leaving 
the password-protected page on your screen after too much inactivity?

BTW, cookie expiration is enforced by the browser, not the server. Try 
expiring a cookie on most cell phones. Hint: It doesn't work.

> Isn't it safer to send a cookie with a session ID back and forth than 
> sending your actual username and password on every page request?

No.  Cookies can be hijacked. MD5 message digests can't.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

"Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
news:47f6484e@news.povray.org...

> > Agreed. If it's very small we probably wouldn't even notice.
>
> If it's big, you think we would notice either? :)

Probably. The gravitational effects would be pretty noticable, especially
when it gets close. Depends how massive the thing is how bad it would be.

Anywhere close to even  stellar mass and it wouldn't have to come within the
oort clous to have some very nasty effects

Post a reply to this message

> Nicolas Alvarez wrote:
>> You mean Remove private data, Authenticated sessions?
> 
> No. Tools->Options->Privacy->Passwords.  Exactly where you'd expect it.

There is no "passwords" under "privacy". Passwords on the "security" tab 
are the saved passwords. When you login via HTTP auth, and tell Firefox 
*not* to save the password, it still keeps it for the current browser 
session (otherwise it would keep asking you for the password on every 
page request).

How do I delete that password within the session, without restarting the 
browser? I doubt it's in the saved passwords list; that's for 
auto-filling forms (or http auth dialogs), not for things within the 
session.

And anyway, users would want something as simple as the "logout" button 
on HTML forms, not getting into the browser options.

> BTW, cookie expiration is enforced by the browser, not the server.

Session usually expires server-side at the same time as the client-side 
cookie. There are no sessions with HTTP auth, nothing you can expire.

One method I have seen for "expiring session on inactivity" (or on user 
request, via a link) with HTTP auth is returning a 401 as if the 
password was wrong, which forces most browsers to ask you the login info 
again.

Post a reply to this message

> How do I delete that password within the session, without restarting the 
> browser?

"According to RFC 2616, existing browsers retain authentication 
information indefinitely. HTTP does not provide a method for a server to 
direct clients to discard these cached credentials. This is a 
significant defect that requires further extensions to HTTP." --Wikipedia

"The authentication is kept in the browser (client side), so there's 
really no way to log out the user on the server side AFAIK. The user 
will have to close the browser to end the session. I think there are 
hacks around this issue, but I haven't looked into them." --a Ruby on 
Rails blog post

"Both Netscape Navigator and Internet Explorer will clear the local 
browser window's authentication cache for the realm upon receiving a 
server response of 401. This can effectively 'log out' a user, forcing 
them to re-enter their username and password. Some people use this to 
'time out' logins, or provide a 'log-out' button." --PHP manual

BTW: I think most people use forms for login just because everybody else 
is doing it, not because they gave it any thought :)

Post a reply to this message

Gail Shaw escribió:
> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
>> Bill Pragnell escribi�:
>>> Agreed. If it's very small we probably wouldn't even notice.
>> If it's big, you think we would notice either? :)
> 
> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.
> 
> Anywhere close to even  stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects

I meant, if it eats the Earth within a second and everyone gets killed 
instantly, who would "notice"?

Post a reply to this message

Gail Shaw <initialsurname@sentech sa dot com> wrote:

> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
> > Bill Pragnell escribi?:
> > > Agreed. If it's very small we probably wouldn't even notice.
> >
> > If it's big, you think we would notice either? :)

> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.

> Anywhere close to even  stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects

  I said in my original post "travelling at almost c towards us".
Pretty hard to notice.

-- 
                                                          - Warp

Post a reply to this message

Nicolas Alvarez wrote:
> There is no "passwords" under "privacy". 

You should learn to qualify your statements, like
   There is no "passwords" under "privacy" on my version of this program.

Certainly on Firefox 1.5.0.12 there is, and it holds the "auth" 
passwords right next to the "<input type=password" passwords.

> When you login via HTTP auth, and tell Firefox 
> *not* to save the password, it still keeps it for the current browser 
> session (otherwise it would keep asking you for the password on every 
> page request).

Right. Same with cookies, see.

> How do I delete that password within the session, without restarting the 
> browser?

Uh, why would you? Don't go back to that site. :-)

Granted, if you want to log in as someone else, that could be mildly 
problematic.  I don't see this as a normal use case for 99% of the sites 
I see using the kludged cookie-based logins, tho.

> And anyway, users would want something as simple as the "logout" button 
> on HTML forms, not getting into the browser options.

There's no reason it couldn't be easier to do from the browser, yes.

> Session usually expires server-side at the same time as the client-side 
> cookie. There are no sessions with HTTP auth, nothing you can expire.

Of course there is. You're just not thinking.  The server knows how long 
it has been since last you came back.  After that time elapses, clean up 
whatever you'd clean up if the user hit the "logout" button.

In other words, no, cookies do not "expire" on the server side, since 
the server doesn't have a cookie. A cookie is a way for the server to 
store something at the browser. The "something" is what expires. Hence, 
go ahead, expire that "something".

> One method I have seen for "expiring session on inactivity" (or on user 
> request, via a link) with HTTP auth is returning a 401 as if the 
> password was wrong, which forces most browsers to ask you the login info 
> again.

Or just return a 403 *once* even for the *right* password.  Or change 
the realm to be session-specific.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

Darren New wrote:
> Or just return a 403 *once* even for the *right* password. 

Sorry. Obviously I meant 401 there.


-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message