"Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
news:47f6484e@news.povray.org...

> > Agreed. If it's very small we probably wouldn't even notice.
>
> If it's big, you think we would notice either? :)

Probably. The gravitational effects would be pretty noticable, especially
when it gets close. Depends how massive the thing is how bad it would be.

Anywhere close to even  stellar mass and it wouldn't have to come within the
oort clous to have some very nasty effects

Post a reply to this message

> Nicolas Alvarez wrote:
>> You mean Remove private data, Authenticated sessions?
> 
> No. Tools->Options->Privacy->Passwords.  Exactly where you'd expect it.

There is no "passwords" under "privacy". Passwords on the "security" tab 
are the saved passwords. When you login via HTTP auth, and tell Firefox 
*not* to save the password, it still keeps it for the current browser 
session (otherwise it would keep asking you for the password on every 
page request).

How do I delete that password within the session, without restarting the 
browser? I doubt it's in the saved passwords list; that's for 
auto-filling forms (or http auth dialogs), not for things within the 
session.

And anyway, users would want something as simple as the "logout" button 
on HTML forms, not getting into the browser options.

> BTW, cookie expiration is enforced by the browser, not the server.

Session usually expires server-side at the same time as the client-side 
cookie. There are no sessions with HTTP auth, nothing you can expire.

One method I have seen for "expiring session on inactivity" (or on user 
request, via a link) with HTTP auth is returning a 401 as if the 
password was wrong, which forces most browsers to ask you the login info 
again.

Post a reply to this message

> How do I delete that password within the session, without restarting the 
> browser?

"According to RFC 2616, existing browsers retain authentication 
information indefinitely. HTTP does not provide a method for a server to 
direct clients to discard these cached credentials. This is a 
significant defect that requires further extensions to HTTP." --Wikipedia

"The authentication is kept in the browser (client side), so there's 
really no way to log out the user on the server side AFAIK. The user 
will have to close the browser to end the session. I think there are 
hacks around this issue, but I haven't looked into them." --a Ruby on 
Rails blog post

"Both Netscape Navigator and Internet Explorer will clear the local 
browser window's authentication cache for the realm upon receiving a 
server response of 401. This can effectively 'log out' a user, forcing 
them to re-enter their username and password. Some people use this to 
'time out' logins, or provide a 'log-out' button." --PHP manual

BTW: I think most people use forms for login just because everybody else 
is doing it, not because they gave it any thought :)

Post a reply to this message

Gail Shaw escribió:
> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
>> Bill Pragnell escribi�:
>>> Agreed. If it's very small we probably wouldn't even notice.
>> If it's big, you think we would notice either? :)
> 
> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.
> 
> Anywhere close to even  stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects

I meant, if it eats the Earth within a second and everyone gets killed 
instantly, who would "notice"?

Post a reply to this message

Gail Shaw <initialsurname@sentech sa dot com> wrote:

> "Nicolas Alvarez" <nic### [at] gmailisthebestcom> wrote in message
> news:47f6484e@news.povray.org...
> > Bill Pragnell escribi?:
> > > Agreed. If it's very small we probably wouldn't even notice.
> >
> > If it's big, you think we would notice either? :)

> Probably. The gravitational effects would be pretty noticable, especially
> when it gets close. Depends how massive the thing is how bad it would be.

> Anywhere close to even  stellar mass and it wouldn't have to come within the
> oort clous to have some very nasty effects

  I said in my original post "travelling at almost c towards us".
Pretty hard to notice.

-- 
                                                          - Warp

Post a reply to this message

Nicolas Alvarez wrote:
> There is no "passwords" under "privacy". 

You should learn to qualify your statements, like
   There is no "passwords" under "privacy" on my version of this program.

Certainly on Firefox 1.5.0.12 there is, and it holds the "auth" 
passwords right next to the "<input type=password" passwords.

> When you login via HTTP auth, and tell Firefox 
> *not* to save the password, it still keeps it for the current browser 
> session (otherwise it would keep asking you for the password on every 
> page request).

Right. Same with cookies, see.

> How do I delete that password within the session, without restarting the 
> browser?

Uh, why would you? Don't go back to that site. :-)

Granted, if you want to log in as someone else, that could be mildly 
problematic.  I don't see this as a normal use case for 99% of the sites 
I see using the kludged cookie-based logins, tho.

> And anyway, users would want something as simple as the "logout" button 
> on HTML forms, not getting into the browser options.

There's no reason it couldn't be easier to do from the browser, yes.

> Session usually expires server-side at the same time as the client-side 
> cookie. There are no sessions with HTTP auth, nothing you can expire.

Of course there is. You're just not thinking.  The server knows how long 
it has been since last you came back.  After that time elapses, clean up 
whatever you'd clean up if the user hit the "logout" button.

In other words, no, cookies do not "expire" on the server side, since 
the server doesn't have a cookie. A cookie is a way for the server to 
store something at the browser. The "something" is what expires. Hence, 
go ahead, expire that "something".

> One method I have seen for "expiring session on inactivity" (or on user 
> request, via a link) with HTTP auth is returning a 401 as if the 
> password was wrong, which forces most browsers to ask you the login info 
> again.

Or just return a 403 *once* even for the *right* password.  Or change 
the realm to be session-specific.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

Darren New wrote:
> Or just return a 403 *once* even for the *right* password. 

Sorry. Obviously I meant 401 there.


-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

Nicolas Alvarez wrote:

>> How do I delete that password within the session, without restarting 
>> the browser?
> 
> "According to RFC 2616, existing browsers retain authentication 
> information indefinitely.

Note that "indefinitely" does not mean "forever". It means you can't 
control how long they save it.

Just like you can't control how long the browser caches user name / 
password information for a forms-based login.

> This is a 
> significant defect that requires further extensions to HTTP." --Wikipedia

Without someone explaining why it's a defect, I'm not sure this is so clear.

> "Both Netscape Navigator and Internet Explorer will clear the local 
> browser window's authentication cache for the realm upon receiving a 
> server response of 401.

Right. That's basically exactly how you're *supposed* to do it. "The 
password you provided to get to this page is invalid. Please reenter it.

> BTW: I think most people use forms for login just because everybody else 
> is doing it, not because they gave it any thought :)

Exactly my point, yes.

Plus, it adds the overhead of requiring SSL (which sucks up both compute 
cycles and IP addresses) just so you can accept the password without 
sending it in the clear, unlike HTTP AUTH.

But of course, again the whole argument that cookies are better than 
AUTH is based on the flawed premise that you should be having "logins" 
in protocols running over a stateless protocol like HTTP in the first place.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

> Nicolas Alvarez wrote:
>> Session usually expires server-side at the same time as the 
>> client-side cookie. There are no sessions with HTTP auth, nothing you 
>> can expire.
> 
> Of course there is. You're just not thinking.  The server knows how long 
> it has been since last you came back.  After that time elapses, clean up 
> whatever you'd clean up if the user hit the "logout" button.
> 
> In other words, no, cookies do not "expire" on the server side, since 
> the server doesn't have a cookie. A cookie is a way for the server to 
> store something at the browser. The "something" is what expires. Hence, 
> go ahead, expire that "something".

With cookie-based login, the "something" to expire is the session ID 
kept in the cookie. Even if the client doesn't expire the cookie, the 
server wouldn't accept the session ID anymore once it expires.

With HTTP auth, the "something" that the client sends is the user 
credentials. Should I expire the user's password?

Anyway, just Google "http auth logout" [1] and see how many people 
complain about it. *Sometimes* even people who know what they're talking 
about :)

[1] or "http (auth|authentication) (logout|log out)" so that you don't 
miss anything.

Post a reply to this message

Nicolas Alvarez wrote:
> With cookie-based login, the "something" to expire is the session ID 
> kept in the cookie. Even if the client doesn't expire the cookie, the 
> server wouldn't accept the session ID anymore once it expires.

No. If the only thing you're expiring is the cookie, then there's no 
point in having the cookie. The cookie is there to track some state on 
the server and associate it with the user's session. The cookie by 
itself isn't useful. It's the cookie's association with the row in the 
database representing the shopping cart or whatever that's useful.

> With HTTP auth, the "something" that the client sends is the user 
> credentials. Should I expire the user's password?

The cookie is there to identify the user. The auth is there to identify 
the user. What exactly is it you do at the server when the "cookie 
expires". You don't "log out" the user, because the user isn't "logged 
in" at that level of abstraction. You're changing some system state, 
which you have to do when "the cookie expires" regardless of what the 
browser does.

Put it this way: You give me a cookie that's set to expire in an hour. 
If I come back in 3 hours with the same cookie (because my browser 
didn't expire it), are you going to let me in with exactly the same 
state? If so, why are you expiring my cookie?  If not, why is the cookie 
better than auth?  If it's really important my cookie expires, you need 
to enforce that at your end.

So what action do you take when someone says "log out" other than 
deleting the cookie, and why do you care? Why not just have a "log out" 
button that cleans up the server side, and from then on return a 403 if 
they go anywhere other than the "log in" link from the home page? :-)

It's really not that hard if you think about it a while. It's just 
easier to pretend HTTP is stateful. And of course the marketing people 
don't like it, because it doesn't work like everyone else's web site, 
all of which work differently.

(Of course, you don't get to do CAPTHCAH either.)

> Anyway, just Google "http auth logout" [1] and see how many people 
> complain about it. *Sometimes* even people who know what they're talking 
> about :)

Oh, I'm not saying it's never appropriate. It's just used almost never, 
and it has definite advantages.

Just looking at the first link, 
http://www.artima.com/weblogs/viewpost.jsp?thread=155252

He lists "username prompt can't be customized". Sure, but that can also 
be a good thing. It's a UI standard. :-)

Numbers 2, 3, 4 are all bogus. "No way to do optional authentication", 
for example, is baloney. Don't return a 401, you don't need to 
authenticate.  5, "difficult single sign-on", is true, but just as bad 
for forms-based sign-ons, because you have to use SSL for that, and 
hence you need to either spend big bucks on a wildcard cert or suck up a 
whole bunch of public IP addresses because you don't like built-in 
authentication. :-)

Basically, the problem is "http auth is lame, because browsers implement 
it in a lame way, so we're not going to use it, so browser authors won't 
bother to de-lame it."  Which makes sense, given HTTP isn't really 
designed to be used for stateful applications anyway. :-)

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message