Http www-authenticated connections

This is a discussion on Http www-authenticated connections within the Networking/Device Communication forums, part of the General Programming Boards category; Hello, I have a problem with a client/server http connection after a 'WWW-Authenticate' return from the server and the next ...

  1. #1
    Registered User
    Join Date
    Mar 2005
    Location
    Juneda
    Posts
    287

    Http www-authenticated connections

    Hello, I have a problem with a client/server http connection after a 'WWW-Authenticate' return from the server and the next 'Authorization: ' requests from the client. That's the working line

    Code:
    Client send a request for a restricted file
    
        GET /file.rst HTTP/1.0
        Accept: */*
    
    
    but because is a restricted file the server returns a 'need authorization' response
    
        HTTP/1.0 401 Unauthorized
        WWW-Authenticate: BASIC realm="System Administrator"
    
    
    Ok, the client opens a default popup asking the user for a name and password, and the it resends 
    the restricted file request with the user:password in BASIC base64 encoding
    
        GET /file.rst HTTP/1.0
        Accept: */*
        Authorization: BASIC aaAaAaAAaa
    
    
    The the server checks the user and password and (if it's right) sends the restricted file.
    Since here there isn't any problem, but after the server has accepted once a user/password, the client sends it in each request. My question is: what should the server have to send to the client to force it to logout (or to force it to forget the user/passw)? If I close the browser then the user is also loggedout (from the client memory), but I was wondering if the server can send a header like 'WWW-Authenticate: Forget Actual User' (of course I haven't tryed to send that ).


    Note: the server is a simple server I've created, and the client is one of the 'professional' availables.


    Thank's in advance
    Niara
    Last edited by Niara; 06-03-2007 at 01:25 PM.

  2. #2
    Lean Mean Coding Machine KONI's Avatar
    Join Date
    Mar 2007
    Location
    Luxembourg, Europe
    Posts
    444
    I couldn't find any such directive in the HTTP Authentication: Basic and Digest Access Authentication RFC.

  3. #3
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,189
    if you want the server to force the client to forget its username and password, just return WWW-Authenticate and most commercial applications will prompt the client for their username and password again. As far as dropping the connection, just close the socket and they will be forced to reauthenticate when they reconnect (if you wrote the server right that is).
    Until you can build a working general purpose reprogrammable computer out of basic components from radio shack, you are not fit to call yourself a programmer in my presence. This is cwhizard, signing off.

  4. #4
    Registered User
    Join Date
    Mar 2005
    Location
    Juneda
    Posts
    287
    Hello, thank's both for the time and help. And sorry for the delay on response.

    KONI: yes, I have already taked a loot at the rfc and I also haven't find anything for that (I suppose that I haven't misunderstood any part ).

    abachler: I have tried that now, but there's still something unclear: the webpage will have a logout link, so when the user clicks on it, the client will send a logout request (still with the usrname/password) and now there's 2 ways:

    - if the server returns only a '401 Unauthorized' header the browser client won't forgot the username/password

    - if the server returns the '401 Unauthorized' with an a 'WWW-Authenticate:' header, the browser client will prompt for the user/password

    I'm trying to logout directly, without reasking the usr/pwd on the logout process.

    Another thing I'm trying is to send a simple coockie that informs if the client is logged or not: then when the user click on the logout, the server returns a setcookie with a simple value (i.ex. '0'), so after that even if the client sends a request for the restricted file the cookie will inform the server wich is the state of the client. But I'm not sure about that because to forget definetively the usr/pwd from the client I should close the browser; I'm afraid that a usr#1 can login, do the work, logout (with the cookie, so the client header request will content still the usr/pwd), and then an usr#2 can work with the client options till get in some way the private usr/pwd from the last user because even the cookie is not logged, the client still remember those values.

    I'm not sure on how to continue with that.
    Whatever help - comment - etc will be welcomed.

    More thank's
    Niara

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Error stop Http Listener
    By George2 in forum C# Programming
    Replies: 1
    Last Post: 06-04-2008, 02:14 AM
  2. C# HTTP request/response
    By George2 in forum C# Programming
    Replies: 0
    Last Post: 04-02-2008, 06:00 AM
  3. looking for small freeware library that support http connections
    By umen242 in forum Networking/Device Communication
    Replies: 0
    Last Post: 03-23-2008, 03:21 AM
  4. WireWorld
    By Salem in forum Contests Board
    Replies: 34
    Last Post: 11-08-2006, 12:39 PM
  5. Writing all HTTP requests from a website to a log file
    By goomyman in forum C# Programming
    Replies: 1
    Last Post: 07-29-2005, 09:18 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21