如何注销用户基本的HTTP认证 [英] How to logout user for basic HTTP authentication

问题描述

我用Google搜索，并通过previous岗位去下面这个话题，但没有找到合适的解决问题的方法。

I googled and went through previous posts as below on this topic but could not find right solution to the problem

<一个href=\"http://stackoverflow.com/questions/2131767/logout-with-basic-authentication-without-closing-webbrowser-like-banking-sites-wi\">link文字

链接文本
是否有注销用户的解决方案（请在浏览器清除其缓存的凭据，并要求用户再次登录凭证），用于基本的HTTP验证？

link text Is there a solution to logout a user (make a browser clear its cached credentials and ask user to login credential once again) for basic HTTP authentication?

推荐答案

是的，但它不是很顺畅。

Yes, but it's not very smooth.

您有一个特殊的脚本URL（如 /注销;喜欢登录脚本它必须是在Web应用程序的根，以确保在auth被设置为正道），其中，而不需要一个有效的用户名/密码来进行，需要一个无效的。

You have a special script URL (eg /logout; like a login script it must be in the root of the webapp to ensure the auth gets set to the right path), which, instead of requiring a valid username/password to proceed, requires an invalid one.

所以，登录用户点击 /注销在授权发送的有效凭证头。你的脚本响应 401 ，并且浏览器弹出一个用户名/密码提示。你告诉用户把假值（或者，在大多数浏览器，只保留为空的也没关系），并点击OK。这种替换无效问卷，有效存储的凭据。您的脚本，然后返回一个退出页面或重定向回主页，并在用户不再登录。

So the logged-in user hits /logout, sending valid credentials in the Authorization header. Your script responds 401, and the browser pops up a username/password prompt. You tell the user to put false values in (or, in most browsers, just leaving it blank is OK too) and hit OK. This replaces the valid stored credentials with invalid ones. Your script then returns a ‘logged out’ page or a redirect back to the home page, and the user is no longer logged in.

（护理：Safari浏览器，遗憾的是，首先通过没有任何凭据每个HTTP请求，只有存储的凭据再次尝试，如果它得到一个 401 响应这意味着你不应该 t拍摄没有授权头为用于注销脚本确定的请求;它必须是present，即使在空白凭证这个不幸的行为也表示。你不能提供一个登录的和不登录在同一个页面，Safari用户的版本相同的URL下，它使Safari浏览器在缓慢浏览基本保护的网站，因为每个页面请求已发生两次）。

(Care: Safari, sadly, passes every HTTP request without any credentials first, only trying again with stored credentials if it gets a 401 response. This means you shouldn't take a request with no Authorization header as being OK for the logout script; it must be present, even if with blank credentials in it. This unfortunate behaviour also means you can't provide a logged-in and not-logged-in version of the same page to Safari users under the same URL, and it makes Safari slow at browsing Basic-protected sites, since every page request has to happen twice.)

有是有时使用另一种方法：使用JavaScript来发送 XMLHtt prequest 用假的用户名/密码组合设备（如 xhr.open（GET，/应用程序'，真正的'_'，'_'））。这有取代在IE和Firefox存储的凭证的非标副作用（但不是歌剧;不知道其他人）。

There is another way that is sometimes used: use JavaScript to send an XMLHttpRequest with a fake username/password combo (eg xhr.open('GET', '/app', true, '_', '_')). This has the non-standard side-effect of replacing the stored credentials in IE and Firefox (but not Opera; not sure about the others).

[唉。这是一种痛苦。难怪大家都使用cookies，而不是...]

[Ugh. This is a pain. No wonder everyone uses cookies instead...]

这篇关于如何注销用户基本的HTTP认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！