Re: User Auth. -Reply

• To: Baber_Amin@novell.com (Baber Amin)
• Subject: Re: User Auth. -Reply
• From: "Seth I. Rich" <seth@hygnet.com>
• Date: Wed, 27 Mar 1996 11:26:02 -0500 (EST)
• Cc: swcheung@hkimd.cig.mot.com, seth@hygnet.com, www-security@ns2.rutgers.edu
• In-Reply-To: <s1592477.092@fromGW> from "Baber Amin" at Mar 27, 96 11:21:37 am

> Can I send a failed authentication responce to the browser  after the browser  has been using
> the authenticated session for a while and now wishes to logout.
> Baber
> :)

My guess is `yes, you can'.  Make a CGI script within the protected
domain which returns a code to the browser indicating that the protection
failed.  I think the minimal case of such a document would look something
like this:

| HTTP/1.0 401 Unauthorized
| Date: Tue, 12 Mar 1996 00:15:14 GMT
| Content-type: text/html
| WWW-Authenticate: Basic realm="ByPassword"
| 
| <HTML><HEAD><TITLE>Authorization Required</TITLE></HEAD>
| <BODY><H1>Authorization Required</H1>
| Browser not authentication-capable or
| authentication failed.
| </BODY></HTML>

I don't know what the browser will do when it gets that response, though.
I usually try things before advising other people, but I haven't tried
this.  There's probably a way you can do this and not have it look awful,
though.

Seth
---------------------------------------------------------------------------
Seth I. Rich - seth@hygnet.com - (610) 859-0100
Systems Administrator / Webmaster, HYGNet       My words are my own; please
Rabbits on walls, no problem.                   don't blame my employer!

• From:

• Previous: Re: User Auth. -Reply
• Next: Re: User Auth. -Reply
• Index(es):
  • Index
  • Thread