On 10 May 2000 09:10:02 -0500, Anthony Baxter wrote:
.. and even then, if they've had a previous successful auth for a page, the browser will re-use the token. The only _real_ way to do it properly is to pass a token to the client, and use that token to reference their authentication information. That way, when they log out, you destroy the authentication information on the server side.
Some browsers *do* only pass authentication info when the server requests it. We discovered this a couple of years ago when experimenting with the newly-developed domain authentication that I asked to be implemented in userfolders with Principia. Popular methodology was to pass the user through an authentication portal which triggered the client into establishing the site/ authentication action, and then reyling on the client to continue to send the authentication info even though the server objects weren't requiring it. This scheme didn't work with the clients which only sent auth. info when requested, so we made sure that all objects referenced the required authenticator objects at all times. Sites developed with this expectation that simple authentication portals are adequate can be quite trivial to bypass... It also became clear that I needed to thoroughly test all my sites with a browser which didn't automatically send auth info once 'portalled' as some of the failure modes were quite elaborate and almost impossible to determine without actual testing. Some were quite puzzling even though you were watching the failure occur.