如何退出使用基本身份验证的网站的用户？ [英] How to log out user from web site using BASIC authentication?

问题描述

是否有可能，如果他使用基本身份验证，以从网站注销用户？

Is it possible to log out user from a web site if he is using basic authentication?

杀会议是不够的，因为，一旦用户通过验证后，每个请求包含登录信息，这样用户在下次自动登录使用相同的凭据，他/她访问该网站。

Killing session is not enough, since, once user is authenticated, each request contains login info, so user is automatically logged in next time he/she access the site using the same credentials.

唯一的解决办法，到目前为止是关闭浏览器，但是这不是从实用性的角度来看可以接受的。

The only solution so far is to close browser, but that's not acceptable from the usability standpoint.

推荐答案

基本身份验证并不是用来管理注销。你可以这样做，但不能完全自动。

Basic Authentication wasn't designed to manage logging out. You can do it, but not completely automatically.

您需要做的是让用户单击注销链接，并发送一个401未授权响应，使用相同的领域，并在同一URL文件夹级别为正常401你送请求登录。

What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login.

他们必须直接输入错误的凭据接下来，例如。一个空白的用户名和密码，并针对您发回一个您已成功退出的页面。接错/空白凭证将覆盖previous正确的凭据。

They must be directed to input wrong credentials next, eg. a blank username-and-password, and in response you send back a "You have successfully logged out" page. The wrong/blank credentials will then overwrite the previous correct credentials.

总之，注销脚本反转登录脚本的逻辑，只返回成功页面，如果用户的不的传递正确的凭据。

In short, the logout script inverts the logic of the login script, only returning the success page if the user isn't passing the right credentials.

问题是，是否有点好奇不输入密码，密码箱将满足用户的认可。密码管理的尝试自动填写密码也可以在这里得到的方式。

The question is whether the somewhat curious "don't enter your password" password box will meet user acceptance. Password managers that try to auto-fill the password can also get in the way here.

编辑以响应添加评论：重新登录是一个稍微不同的问题（除非您需要两步注销/登录明显）。你必须拒绝（401）以访问重新登录链路，比接受第二个（其中presumably具有不同的用户名/密码）的首次尝试。还有你能做到这几个方面。其中之一是包括在注销链接当前用户名（如/重新登录？用户名），并拒绝在凭证匹配用户名。

Edit to add in response to comment: re-log-in is a slightly different problem (unless you require a two-step logout/login obviously). You have to reject (401) the first attempt to access the relogin link, than accept the second (which presumably has a different username/password). There are a few ways you could do this. One would be to include the current username in the logout link (eg. /relogin?username), and reject when the credentials match the username.

这篇关于如何退出使用基本身份验证的网站的用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！