[Melbourne-pm] Web auth meth

Mathew Robertson mathew.robertson at netratings.com.au
Wed Sep 10 18:46:42 PDT 2008

>> Thats not strictly true, ie;
>> 1. go to page located behind https url,
>> 2. page contains a username/password form entry fields
>> 3. the onsubmit handler sends XMLHttpRequest with the appropriate 
>> auth-headers set using those form fields
> Nice interesting solution. I will play with that. How well does that 
> work on IE6?
> Mind you I still would not use it, as it supports no safe logout and 
> no ability to timeout or logout from the server end.
AFAICR, we have had an issue - but my care factor for IE6 is pretty low, 
so I may not have noticed.

I dont think the "no logout" is strictly true - I think you could do the 

on the first request it will send the user/pass; if you also send 
through a form token -> the server then initialises a "login time" field 
with the form token.

Subsequent requests you then send the token.  When there is a long delay 
from the last request (ie: you can validate against the token), you can 
send a "not authorized" response.  The browser then will retry 
indefinitely as it will show that ugly popup, but it wont send the token 
-> it would require the user to go back to the login page.  
Alternatively, you could send back an "authorized" response, but 
redirect back to the login page.


More information about the Melbourne-pm mailing list