Web logout button and HTML page expiration

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi all, I am using HTTP basic authentication (using HTTPS) to authenticate the users who access my HTML pages. I am using Perl scripts to manipulate the POST data that I get from the user input. I would like to have a logout button, but I read somewhere that it's not possible to have a logout button with HTTP basic authentication. Is this true? If so, do you know what other options I have that would support a logout button? I heard about cookie-based authentication, but I'm not sure how that works and what I would need to implement this logout button. I know that Perl has some world wide web modules, but being a novice to Perl, I'm not sure how to apply those modules. Is there some sample code that I can look at? Also, the user can click 'back' without the page expiring. Is this a security issue? If so, why? Finally, how can I make the page expire? Can I do this with Perl? I heard about this "session" variable that I can keep track of in my HTML pages, but I'm not sure how that works. Any pointers would be greatly appreciated. Thanks! Monica

Comment on Web logout button and HTML page expiration

Replies are listed 'Best First'.
Re: Web logout button and HTML page expiration by tachyon (Chancellor) on Feb 06, 2003 at 01:50 UTC
With basic authentication a client remains authenticated until they kill their browser. Probably the easiest way is to write an authentication script that sets a cookie on the client machine. You can then unauthenticate by deleting the cookie. You can also update the cookie each time the user hits a page and thus include a timeout check so that a new authentication is required after x minutes of user inactivity - this prevents hijacking a session using cached pages(sessionID)/cookies. Typically I dont use cookies. Rather I embed a session ID in the pages displayed linked to a database on the server as you can't rely on cookies being enabled but the basic principle is the same. User authenticates and you store a snippet of data somewhere you can associate it with that user and delete/modify it at will. Do a Super Search for 'basic cookie management' or 'session id' or 'authentication' as there is a huge volume of stuff on this here on the site. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]

Replies are listed 'Best First'.

Re: Web logout button and HTML page expiration
by tachyon (Chancellor) on Feb 06, 2003 at 01:50 UTC

With basic authentication a client remains authenticated until they kill their browser.

Probably the easiest way is to write an authentication script that sets a cookie on the client machine. You can then unauthenticate by deleting the cookie. You can also update the cookie each time the user hits a page and thus include a timeout check so that a new authentication is required after x minutes of user inactivity - this prevents hijacking a session using cached pages(sessionID)/cookies.

Typically I dont use cookies. Rather I embed a session ID in the pages displayed linked to a database on the server as you can't rely on cookies being enabled but the basic principle is the same. User authenticates and you store a snippet of data somewhere you can associate it with that user and delete/modify it at will.

Do a Super Search for 'basic cookie management' or 'session id' or 'authentication' as there is a huge volume of stuff on this here on the site.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]