WWW-Authenticate signout

Question

I noticed that once Firefox pops up a modal in response to a WWW-Authenticate header in an HTTP response. Then, Firefox saves the username/password until Firefox is closed. The Web Developer plug-in makes it possible for developer-minded people to logout. But what HTTP message should be sent to the browser to lose those cached credentials?

score 3 · Answer 1 · answered Nov 11 '09 at 19:41

3

I'm afraid there is no way to gracefully send the browser the order to stop keeping (and sending in each http request to your server) the credential that you reclaimed at the beginning of user's navigation (through http 401 response).

answered Nov 11 '09 at 19:41

Michael Zilbermann

1,398
9
19

score 2 · Accepted Answer · answered Dec 30 '09 at 16:17

I found a reasonable workaround. It's a bit involved, but works very well. I created a table with a GUID field. It didn't start with any records. Here's the solution:

User clicks "Logout".
Logout script adds a GUID to the new table.
Logout script redirect the user to a URL that has the GUID as a parameter.
When a user hits a URL with the GUID as a parameter, the system searches the table for the GUID.
1. If the GUID is in the table, remove the record with the GUID and give an invalid username/password response code (even if the credentials are okay).
2. If the GUID is not in the table, validate the credentials.

This new table can get bloated fast by hackers, so be sure each user can only have one entry in the table. You could also use timestamps and have a batch job to prune the table every so often.

score 1 · Answer 3 · answered Dec 21 '12 at 22:13

1

Firefox will clear it's cached WWW-auth UN/PW with a 403 Forbidden.

Chrome will clear with a 403 Forbidden or a 401 Not Authorized.

Safari will always prompt you if you want to cache or not.

IE is poop.

answered Dec 21 '12 at 22:13

pieman72

836
8
14

Unfortunately, with WWW-auth Chrome does not clear PHP_AUTH_USER neither with 401 Unauthorized nor 403 Forbidden headers. – jacouh Oct 15 '13 at 11:55
Nice catch. I believe they used to. Seems it was changed somewhere around Chrome 18, if I'm reading right. Turns out, the best practice in this situation is not to use WWW-auth at all because no modern browsers handle it according to spec. Better choice if you don't want to persist the credentials is to store login in a cookie or session that you are able to flush more easily. Sorry if that's not ideal... – pieman72 Oct 18 '13 at 08:01

WWW-Authenticate signout

3 Answers3