Http www-authenticated connections

[Niara]

Hello, I have a problem with a client/server http connection after a 'WWW-Authenticate' return from the server and the next 'Authorization: ' requests from the client. That's the working line

Code:

Client send a request for a restricted file

    GET /file.rst HTTP/1.0
    Accept: */*


but because is a restricted file the server returns a 'need authorization' response

    HTTP/1.0 401 Unauthorized
    WWW-Authenticate: BASIC realm="System Administrator"


Ok, the client opens a default popup asking the user for a name and password, and the it resends 
the restricted file request with the user:password in BASIC base64 encoding

    GET /file.rst HTTP/1.0
    Accept: */*
    Authorization: BASIC aaAaAaAAaa


The the server checks the user and password and (if it's right) sends the restricted file.

Since here there isn't any problem, but after the server has accepted once a user/password, the client sends it in each request. My question is: what should the server have to send to the client to force it to logout (or to force it to forget the user/passw)? If I close the browser then the user is also loggedout (from the client memory), but I was wondering if the server can send a header like 'WWW-Authenticate: Forget Actual User' (of course I haven't tryed to send that ).


Note: the server is a simple server I've created, and the client is one of the 'professional' availables.


Thank's in advance
Niara

[KONI]

I couldn't find any such directive in the HTTP Authentication: Basic and Digest Access Authentication RFC.

[abachler]

if you want the server to force the client to forget its username and password, just return WWW-Authenticate and most commercial applications will prompt the client for their username and password again. As far as dropping the connection, just close the socket and they will be forced to reauthenticate when they reconnect (if you wrote the server right that is).

[Niara]

Hello, thank's both for the time and help. And sorry for the delay on response.

KONI: yes, I have already taked a loot at the rfc and I also haven't find anything for that (I suppose that I haven't misunderstood any part ).

abachler: I have tried that now, but there's still something unclear: the webpage will have a logout link, so when the user clicks on it, the client will send a logout request (still with the usrname/password) and now there's 2 ways:

- if the server returns only a '401 Unauthorized' header the browser client won't forgot the username/password

- if the server returns the '401 Unauthorized' with an a 'WWW-Authenticate:' header, the browser client will prompt for the user/password

I'm trying to logout directly, without reasking the usr/pwd on the logout process.

Another thing I'm trying is to send a simple coockie that informs if the client is logged or not: then when the user click on the logout, the server returns a setcookie with a simple value (i.ex. '0'), so after that even if the client sends a request for the restricted file the cookie will inform the server wich is the state of the client. But I'm not sure about that because to forget definetively the usr/pwd from the client I should close the browser; I'm afraid that a usr#1 can login, do the work, logout (with the cookie, so the client header request will content still the usr/pwd), and then an usr#2 can work with the client options till get in some way the private usr/pwd from the last user because even the cookie is not logged, the client still remember those values.

I'm not sure on how to continue with that.
Whatever help - comment - etc will be welcomed.

More thank's
Niara