当前位置: 文江博客话题详情

http 基本身份验证“注销”

发布于 2024-10-02 06:09:13 字数 473 浏览 7 评论 0原文

HTTP 基本身份验证凭据会一直存储到浏览器关闭为止,但是有没有办法在浏览器关闭之前删除凭据呢?

我读到了关于 HTTP 401 状态代码的技巧,但似乎工作不正常(请参阅评论回答)。也许trac 使用的机制就是解决方案

可以使用 JavaScript 删除凭据吗?或者结合 JavaScript 和状态 401 技巧?

原文

HTTP basic authentication credentials are stored until the browser is closed, but is there a way to remove the credentials before the browser is closed?

I read about a trick with HTTP 401 status code, but it seems to work not properly (see comment to answer). Maybe the mechanism trac uses is the solution.

Can the credentials be deleted with JavaScript? Or with a combination of JavaScript and the status 401 trick?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(9

遥远的她 2024-10-09 06:09:13

更新:此解决方案似乎在许多浏览器中不再起作用。凯津评论:

这种发送虚假凭据以使浏览器忘记正确的经过身份验证的凭据的解决方案在 Chrome (16) 和 IE (9) 中不起作用。适用于 Firefox (9)。

实际上,您可以通过向服务发送虚假凭据来实现解决方法。这在浏览器中可以通过发送另一个(不存在?)没有密码的用户名来实现。浏览器丢失有关经过身份验证的凭据的信息。

例子:

https://www.example.com/ =>登录
基本身份验证为“user1”

现已开放

https://[电子邮件受保护]/

您已退出。 ;)

问候

P.s.:但是,在您依赖给定的信息之前,请使用所有需要的浏览器对此进行测试。

Update: This solution does not seem to work anymore in many browsers. Kaitsu's comment:

This solution of sending false credentials to make browser forget the correct authenticated credentials doesn't work in Chrome (16) and IE (9). Works in Firefox (9).

Actually you can implement a workaround by sending false credentials to the service. This works in Browsers by sending another (non-existent?) Username without a password. The Browser loses the information about the authenticated credentials.

Example:

https://www.example.com/ => Log in
with basic auth as "user1"

Now open

https://[email protected]/

You're Logged out. ;)

Regards

P.s.: But please test this with all needed Browsers before you rely on the given information.

回复 原文
雨夜星沙 2024-10-09 06:09:13

扩展 Jan. 的答案,并更新 owyongsk 的答案:

这里是一些示例 jquery java 脚本代码,导致浏览器本质上向您尝试保护的页面发送虚假登录请求,这在所有测试的浏览器中都会导致缓存凭据被删除,然后将用户重定向到不受保护的页面。

出现问题时的alert()可能应该更改为其他内容。

//Submits an invalid authentication header, causing the user to be 'logged out'
function logout() {
    $.ajax({
        type: "GET",
        url: "PUT_YOUR_PROTECTED_URL_HERE",
        dataType: 'json',
        async: true,
        username: "some_username_that_doesn't_exist",
        password: "any_stupid_password",
        data: '{ "comment" }'
    })
//In our case, we WANT to get access denied, so a success would be a failure.
.done(function(){
    alert('Error!')
})
//Likewise, a failure *usually* means we succeeded.
//set window.location to redirect the user to wherever you want them to go
.fail(function(){
    window.location = "/";
    });
}

然后,就像让注销链接调用 logout() 函数一样简单,并且它似乎对用户来说可以无缝工作,尽管从技术上来说它仍然是一项黑客工作。

Expanding on Jan.'s answer, and updating owyongsk's answer:

Here is some example jquery java-script code to cause the browser to essentially send a bogus login request to the page your trying to protect, which in all tested browsers caused the cached credentials to be removed, then redirects the user to a non-protected page.

The alert() when something goes wrong should probably be changed to something else.

//Submits an invalid authentication header, causing the user to be 'logged out'
function logout() {
    $.ajax({
        type: "GET",
        url: "PUT_YOUR_PROTECTED_URL_HERE",
        dataType: 'json',
        async: true,
        username: "some_username_that_doesn't_exist",
        password: "any_stupid_password",
        data: '{ "comment" }'
    })
//In our case, we WANT to get access denied, so a success would be a failure.
.done(function(){
    alert('Error!')
})
//Likewise, a failure *usually* means we succeeded.
//set window.location to redirect the user to wherever you want them to go
.fail(function(){
    window.location = "/";
    });
}

Then it was as easy as just having the logout link call the logout() function, and it seemed to work seamlessly to the user, though it is still technically a hack job.

回复 原文
浮云落日 2024-10-09 06:09:13

您可以尝试目前适用于最新 Chrome 和 Firefox 的 hack。在您的服务器上创建一个“/logout”页面,该页面仅接受特定凭据,例如用户名:false,密码:false。然后使用下面的 AJAX 请求,您可以将用户发送到该页面。

  $("#logout").click(function(e){                                              
    e.preventDefault();                                                        
    var request = new XMLHttpRequest();                                        
    request.open("get", "/logout", false, "false", "false");                                                                                                                               
    request.send();                                                            
    window.location.replace("WHEREVER YOU WANT YOUR LOGGED OUT USER TO GO");                                              
  });

发生的情况是,错误的用户名和密码是从有效的 XMLHttpRequest 而不是当前用户的凭据中缓存的,当用户尝试登录任何页面时,它将使用缓存的假凭据,无法进行身份验证,它会询问用户输入另一项。希望这有帮助!

You can try a hack that is working at the moment with the latest Chrome and Firefox. Create a "/logout" page on your server which accepts only a certain credential such as username: false, password: false. Then using this AJAX request below, you can send the user to that page.

  $("#logout").click(function(e){                                              
    e.preventDefault();                                                        
    var request = new XMLHttpRequest();                                        
    request.open("get", "/logout", false, "false", "false");                                                                                                                               
    request.send();                                                            
    window.location.replace("WHEREVER YOU WANT YOUR LOGGED OUT USER TO GO");                                              
  });

What happens is that the false username and password is cached from the valid XMLHttpRequest instead of the current user's credentials, and when a user tries to login into any page, it will use the cached fake credentials, failing to authenticate, it will ask the user to enter another one. Hope this helps!

回复 原文
只想待在家 2024-10-09 06:09:13

刚刚完成一个对我来说效果很好的实现:
在服务器上,我评估会话、用户名和密码,因此我跟踪这些信息,登录算法如下:

1.检查用户和密码是否不为空,否则返回 401。

2.检查我们是否已注册session 在我们的登录用户列表中,如果不是,则检查用户和密码是否有效,如果有效,则将 session id 保存在我们的列表中,然后返回 401。
我将解释此步骤:如果会话 id 不同,则会发生以下三种情况之一:
a) 用户正在打开另一个窗口。
b) 用户会话已完成,即用户注销。
c) 会话由于不活动而过期。
但是我们希望只要用户凭据有效就保存会话,但返回 401 询问一次密码,如果我们不保存会话,则用户永远无法登录,因为我们没有新的会话 ID在我们的名单中。

3.检查用户凭据是否正确,如果正确,则保存会话信息并继续提供页面,否则返回401。

因此,我必须注销用户的唯一方法是当用户请求注销页面时关闭服务器上的会话Web 浏览器再次显示登录对话框。

我在想,当我写这篇文章时,必须有一个步骤,程序检查用户是否已经登录以避免假冒,也许我可以为每个用户保存多个会话 ID 以允许多个会话,好吧,我想您对此的评论。

希望您明白这一点,如果您发现任何安全缺陷,请发表评论;)

just finishing an implementation that worked fine to me:
At the server I evaluate Session, User Name and password, so I keep track of that information, the login algoritm is as follows:

1.Check if user and password is not empty, else return 401.

2.Check if we have registered the session in our logged-in user list, if not then check if user and password is valid and if so save session id in our list, then return 401.
I'll explain this step: if the session id is different one of three things happened:
a) The user is opening another window.
b) The user session has finished, ie user logged out.
c) The session expired due to inactivity.
But we want to save the session as long as the user credentials are valid but return a 401 to ask once for password, if we don't save the session then the user could never log in because we don't have the new session id in our list.

3.Check if user credentials are right, if so, save session info and continue serving pages, else return 401.

So, the only thing I have to logout a user is to close the session at the server when the user requests the logout page and the web browser shows again the login dialog.

I'm thinking as I write this that there has to be a step where the program checks if the user is already logged to avoid impersonation, maybe I can save more than one session id per user to allow multiple session, well, I would like your comments about it.

Hope you get the idea, and comment if you see any security flaw ;)

回复 原文
水波映月 2024-10-09 06:09:13

您可以使用 JavaScript 删除凭据:

    $("#logout").click(function(){
        try {
            document.execCommand("ClearAuthenticationCache");
            window.location.href('/logout.html'); // page with logout message somewhere in not protected directory
        } catch (exception) {}
    });

此代码仅适用于 IE。这就是在那里添加 try/catch 块的原因。
另外,出于同样的原因,您应该仅向 IE 用户显示注销链接:

    <!--[if IE]>
        <div id="logout">[Logout]</div>
    <![endif]-->

对于其他用户,我的建议如下:

    <div id="logout2" onclick="alert('Please close your browser window to logout')">[Logout]</div>

You can delete credentials with JavaScript:

    $("#logout").click(function(){
        try {
            document.execCommand("ClearAuthenticationCache");
            window.location.href('/logout.html'); // page with logout message somewhere in not protected directory
        } catch (exception) {}
    });

This code works only in IE. This is the reason why try/catch block is added there.
Also, for the same reason the logout link you should show for IE users only:

    <!--[if IE]>
        <div id="logout">[Logout]</div>
    <![endif]-->

And for other users my suggestion is something like:

    <div id="logout2" onclick="alert('Please close your browser window to logout')">[Logout]</div>
回复 原文
层林尽染 2024-10-09 06:09:13

如果您可以控制服务器代码,则可以创建一个“注销”功能,无论给出的凭据如何,都会回复“401 Unauthorized”。此故障会强制浏览器删除已保存的凭据。

我刚刚在 Chrome 34、IE 11、Firefox 25 上进行了测试 - 使用 Express.js 服务器和 HTTP 基本身份验证。

If you have control over the server code, you can create a "logout" function that replies "401 Unauthorized" regardless of the credentials given. This failure forces browsers to remove saved credentials.

I just tested this with Chrome 34, IE 11, Firefox 25 - using Express.js server and HTTP basic authentication.

回复 原文
英雄似剑 2024-10-09 06:09:13

Chrome(版本 66)中对我有用的方法是将 Ajax 请求发送到返回 401 的 URL。这样基本身份验证缓存似乎已被清除。

var xhttp = new XMLHttpRequest();
xhttp.open("GET", "/url_that_returns_401", true);
xhttp.send();

What has worked for me in Chrome (Version 66) is to send an Ajax request to an URL that returns 401. That way the basic authentication cache seems to be cleared.

var xhttp = new XMLHttpRequest();
xhttp.open("GET", "/url_that_returns_401", true);
xhttp.send();
回复 原文
何必那么矫情 2024-10-09 06:09:13

此代码在 Chrome(版本 83)中对我有用:

var xhttp = new XMLHttpRequest(); 
xhttp.open("GET", "/url_that_return_401", true); 
xhttp.setRequestHeader('Authorization', 'Basic '); 
xhttp.send();

需要执行此代码(可能通过按钮单击或控制台窗口),然后出现提示,您需要按“取消”按钮。然后身份验证字段将被清除,您可以刷新页面并使用其他凭据登录。

This codes worked for me in Chrome (version 83):

var xhttp = new XMLHttpRequest(); 
xhttp.open("GET", "/url_that_return_401", true); 
xhttp.setRequestHeader('Authorization', 'Basic '); 
xhttp.send();

Need to execute this code (maybe by button click or console window) and then prompt appeared, you need to press Cancel button. Then authentication fields clears and you can refresh page and login in with another credentials.

回复 原文
我一向站在原地 2024-10-09 06:09:13

将随机数标记为无效。我对服务器端进行了 Ajax 调用,要求注销。服务器端在标头中获取“Authenticate: Digest...”请求。它从该行中提取 nonce="" 并将其添加到禁用的 nonce 列表中。因此,下次浏览器发送带有“Authenticate: Digest...”行的请求时,服务器会回复 401。这使得浏览器要求用户提供新的用户 ID/密码。

适用于我的应用程序,但仅适用于摘要式身份验证。

Mark the nonce as invalid. I did an Ajax call to the server side asking to logout. The server side gets the "Authenticate: Digest..." request in a header. It extracts the nonce="" from that line and adds it to a list of disabled nonces. So next time the browser sends that a request with that "Authenticate: Digest..." line the server replies with 401. This makes the browser ask the user for a new userid/password.

Works fine for my application but only for Digest authentication.

回复 原文
~没有更多了~

关于作者

眼趣

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lorenzathorton8

文章 0 评论 0

Zero

文章 0 评论 0

萧瑟寒风

文章 0 评论 0

mylayout

文章 0 评论 0

tkewei

文章 0 评论 0

17818769742

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文