如何使用 BASIC 身份验证从网站注销用户? [英] How to log out user from web site using BASIC authentication?
问题描述
如果用户使用基本身份验证,是否可以从网站上注销用户?
终止会话是不够的,因为一旦用户通过身份验证,每个请求都包含登录信息,因此用户下次使用相同的凭据访问站点时会自动登录.
目前唯一的解决方案是关闭浏览器,但从可用性的角度来看这是不可接受的.
基本身份验证并非旨在管理注销.你可以做到,但不能完全自动.
您需要做的是让用户点击注销链接,然后发送401 Unauthorized"作为响应,使用与您发送的普通 401 请求登录相同的领域和相同的 URL 文件夹级别.
接下来必须指示他们输入错误的凭据,例如.一个空白的用户名和密码,作为回应,您发送回您已成功退出"页面.错误/空白的凭据将覆盖之前正确的凭据.
简而言之,注销脚本颠倒了登录脚本的逻辑,仅在用户未传递正确凭据时才返回成功页面.
问题是有点奇怪的不要输入密码"密码框是否会满足用户的接受度.尝试自动填充密码的密码管理器也可能会在此处造成障碍.
编辑以响应评论:重新登录是一个稍微不同的问题(除非您显然需要两步注销/登录).您必须拒绝 (401) 第一次访问重新登录链接的尝试,而不是接受第二次(可能具有不同的用户名/密码).有几种方法可以做到这一点.一种方法是在注销链接中包含当前用户名(例如/relogin?username),并在凭据与用户名匹配时拒绝.
Is it possible to log out user from a web site if he is using basic authentication?
Killing session is not enough, since, once user is authenticated, each request contains login info, so user is automatically logged in next time he/she access the site using the same credentials.
The only solution so far is to close browser, but that's not acceptable from the usability standpoint.
Basic Authentication wasn't designed to manage logging out. You can do it, but not completely automatically.
What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login.
They must be directed to input wrong credentials next, eg. a blank username-and-password, and in response you send back a "You have successfully logged out" page. The wrong/blank credentials will then overwrite the previous correct credentials.
In short, the logout script inverts the logic of the login script, only returning the success page if the user isn't passing the right credentials.
The question is whether the somewhat curious "don't enter your password" password box will meet user acceptance. Password managers that try to auto-fill the password can also get in the way here.
Edit to add in response to comment: re-log-in is a slightly different problem (unless you require a two-step logout/login obviously). You have to reject (401) the first attempt to access the relogin link, than accept the second (which presumably has a different username/password). There are a few ways you could do this. One would be to include the current username in the logout link (eg. /relogin?username), and reject when the credentials match the username.
这篇关于如何使用 BASIC 身份验证从网站注销用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
