[1735] in WWW Security List Archive
Re: User Auth. -Reply
daemon@ATHENA.MIT.EDU (Seth I. Rich)
Wed Mar 27 14:42:51 1996
From: "Seth I. Rich" <seth@hygnet.com>
To: Baber_Amin@novell.com (Baber Amin)
Date: Wed, 27 Mar 1996 11:26:02 -0500 (EST)
Cc: swcheung@hkimd.cig.mot.com, seth@hygnet.com, www-security@ns2.rutgers.edu
In-Reply-To: <s1592477.092@fromGW> from "Baber Amin" at Mar 27, 96 11:21:37 am
Errors-To: owner-www-security@ns2.rutgers.edu
> Can I send a failed authentication responce to the browser after the browser has been using
> the authenticated session for a while and now wishes to logout.
> Baber
> :)
My guess is `yes, you can'. Make a CGI script within the protected
domain which returns a code to the browser indicating that the protection
failed. I think the minimal case of such a document would look something
like this:
| HTTP/1.0 401 Unauthorized
| Date: Tue, 12 Mar 1996 00:15:14 GMT
| Content-type: text/html
| WWW-Authenticate: Basic realm="ByPassword"
|
| <HTML><HEAD><TITLE>Authorization Required</TITLE></HEAD>
| <BODY><H1>Authorization Required</H1>
| Browser not authentication-capable or
| authentication failed.
| </BODY></HTML>
I don't know what the browser will do when it gets that response, though.
I usually try things before advising other people, but I haven't tried
this. There's probably a way you can do this and not have it look awful,
though.
Seth
---------------------------------------------------------------------------
Seth I. Rich - seth@hygnet.com - (610) 859-0100
Systems Administrator / Webmaster, HYGNet My words are my own; please
Rabbits on walls, no problem. don't blame my employer!
