Javascript http基本身份验证“注销”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4163122/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
http basic authentication "log out"
提问by deamon
HTTP basic authentication credentials are stored until the browser is closed, but is there a way to remove the credentials before the browser is closed?
HTTP 基本身份验证凭据会一直存储到浏览器关闭为止,但是有没有办法在浏览器关闭之前删除凭据?
I read about a trick with HTTP 401 status code, but it seems to work not properly(see comment to answer). Maybe the mechanism trac uses is the solution.
我读到了HTTP 401 status code 的一个技巧,但它似乎无法正常工作(请参阅评论以回答)。也许trac使用的机制是解决方案。
Can the credentials be deleted with JavaScript? Or with a combination of JavaScript and the status 401 trick?
可以使用 JavaScript 删除凭据吗?或者结合 JavaScript 和状态 401 技巧?
回答by Jan.
Update: This solution does not seem to work anymore in many browsers. Kaitsu's comment:
更新:此解决方案似乎不再适用于许多浏览器。凯子的评论:
This solution of sending false credentials to make browser forget the correct authenticated credentials doesn't work in Chrome (16) and IE (9). Works in Firefox (9).
这种发送虚假凭据以使浏览器忘记正确的经过身份验证的凭据的解决方案在 Chrome (16) 和 IE (9) 中不起作用。适用于 Firefox (9)。
Actually you can implement a workaround by sending false credentials to the service. This works in Browsers by sending another (non-existent?) Username without a password. The Browser loses the information about the authenticated credentials.
实际上,您可以通过向服务发送虚假凭据来实施解决方法。这在浏览器中通过发送另一个(不存在?)没有密码的用户名来工作。浏览器会丢失有关经过身份验证的凭据的信息。
Example:
例子:
https://www.example.com/=> Log in with basic auth as "user1"
Now open
You're Logged out. ;)
https://www.example.com/=> 使用基本身份验证作为“user1”登录
现在开放
您已注销。;)
Regards
问候
P.s.: But please test this with all needed Browsers before you rely on the given information.
Ps:但是在依赖给定的信息之前,请使用所有需要的浏览器进行测试。
回答by 1n5aN1aC
Expanding on Jan.'s answer, and updating owyongsk's answer:
扩展 Jan. 的答案,并更新 owyongsk 的答案:
Here is some example jquery java-script code to cause the browser to essentially send a bogus login request to the page your trying to protect, which in all tested browsers caused the cached credentials to be removed, then redirects the user to a non-protected page.
这是一些示例 jquery java 脚本代码,它使浏览器本质上向您尝试保护的页面发送虚假登录请求,这在所有经过测试的浏览器中都会导致缓存的凭据被删除,然后将用户重定向到不受保护的页面页。
The alert() when something goes wrong should probably be changed to something else.
出现问题时的 alert() 可能应该更改为其他内容。
//Submits an invalid authentication header, causing the user to be 'logged out'
function logout() {
$.ajax({
type: "GET",
url: "PUT_YOUR_PROTECTED_URL_HERE",
dataType: 'json',
async: true,
username: "some_username_that_doesn't_exist",
password: "any_stupid_password",
data: '{ "comment" }'
})
//In our case, we WANT to get access denied, so a success would be a failure.
.done(function(){
alert('Error!')
})
//Likewise, a failure *usually* means we succeeded.
//set window.location to redirect the user to wherever you want them to go
.fail(function(){
window.location = "/";
});
}
Then it was as easy as just having the logout link call the logout() function, and it seemed to work seamlessly to the user, though it is still technically a hack job.
然后它就像让注销链接调用 logout() 函数一样简单,它似乎对用户来说是无缝的,尽管从技术上讲它仍然是一个黑客工作。
回答by owyongsk
You can try a hack that is working at the moment with the latest Chrome and Firefox. Create a "/logout" page on your server which accepts only a certain credential such as username: false, password: false. Then using this AJAX request below, you can send the user to that page.
您可以尝试使用最新的 Chrome 和 Firefox 进行当前有效的 hack。在您的服务器上创建一个“/logout”页面,该页面仅接受特定凭据,例如用户名:false,密码:false。然后使用下面的这个 AJAX 请求,您可以将用户发送到该页面。
$("#logout").click(function(e){
e.preventDefault();
var request = new XMLHttpRequest();
request.open("get", "/logout", false, "false", "false");
request.send();
window.location.replace("WHEREVER YOU WANT YOUR LOGGED OUT USER TO GO");
});
What happens is that the false username and password is cached from the valid XMLHttpRequest instead of the current user's credentials, and when a user tries to login into any page, it will use the cached fake credentials, failing to authenticate, it will ask the user to enter another one. Hope this helps!
发生的情况是虚假的用户名和密码是从有效的 XMLHttpRequest 缓存而不是当前用户的凭据,当用户尝试登录任何页面时,它将使用缓存的虚假凭据,如果无法通过身份验证,它会询问用户进入另一个。希望这可以帮助!
回答by Erwin
just finishing an implementation that worked fine to me: At the server I evaluate Session, User Name and password, so I keep track of that information, the login algoritm is as follows:
刚刚完成一个对我来说很好的实现:在服务器上我评估会话、用户名和密码,所以我跟踪这些信息,登录算法如下:
1.Check if user and password is not empty, else return 401.
1.检查用户名和密码是否为空,否则返回401。
2.Check if we have registered the session in our logged-in user list, if not then check if user and password is valid and if so save session id in our list, then return 401. I'll explain this step: if the session id is different one of three things happened: a) The user is opening another window. b) The user session has finished, ie user logged out. c) The session expired due to inactivity. But we want to save the session as long as the user credentials are valid but return a 401 to ask once for password, if we don't save the session then the user could never log in because we don't have the new session id in our list.
2.检查我们是否已经在我们的登录用户列表中注册了会话,如果没有则检查用户和密码是否有效,如果是,则在我们的列表中保存会话ID,然后返回401。我将解释这一步:如果session id 是不同的三件事之一:a) 用户正在打开另一个窗口。b) 用户会话已完成,即用户已注销。c) 会话因不活动而过期。但是只要用户凭据有效,我们就想保存会话,但返回 401 要求输入一次密码,如果我们不保存会话,则用户永远无法登录,因为我们没有新的会话 ID在我们的名单中。
3.Check if user credentials are right, if so, save session info and continue serving pages, else return 401.
3.检查用户凭据是否正确,如果正确,保存会话信息并继续提供页面,否则返回401。
So, the only thing I have to logout a user is to close the session at the server when the user requests the logout page and the web browser shows again the login dialog.
因此,当用户请求注销页面并且 Web 浏览器再次显示登录对话框时,我唯一需要注销用户的事情就是关闭服务器上的会话。
I'm thinking as I write this that there has to be a step where the program checks if the user is already logged to avoid impersonation, maybe I can save more than one session id per user to allow multiple session, well, I would like your comments about it.
我在写这篇文章时在想,必须有一个步骤让程序检查用户是否已经登录以避免模拟,也许我可以为每个用户保存一个以上的会话 ID 以允许多个会话,好吧,我想你对它的评论。
Hope you get the idea, and comment if you see any security flaw ;)
希望你能明白,如果你看到任何安全漏洞,请发表评论;)
回答by Vilius Gaidelis
You can delete credentials with JavaScript:
您可以使用 JavaScript 删除凭据:
$("#logout").click(function(){
try {
document.execCommand("ClearAuthenticationCache");
window.location.href('/logout.html'); // page with logout message somewhere in not protected directory
} catch (exception) {}
});
This code works only in IE. This is the reason why try/catch block is added there. Also, for the same reason the logout link you should show for IE users only:
此代码仅适用于 IE。这就是在那里添加 try/catch 块的原因。此外,出于同样的原因,您应该仅为 IE 用户显示注销链接:
<!--[if IE]>
<div id="logout">[Logout]</div>
<![endif]-->
And for other users my suggestion is something like:
对于其他用户,我的建议类似于:
<div id="logout2" onclick="alert('Please close your browser window to logout')">[Logout]</div>
回答by Greg T
If you have control over the server code, you can create a "logout" function that replies "401 Unauthorized" regardless of the credentials given. This failure forces browsers to remove saved credentials.
如果您可以控制服务器代码,则可以创建一个“注销”功能,无论给出的凭据如何,都会回复“401 未经授权”。此失败会强制浏览器删除保存的凭据。
I just tested this with Chrome 34, IE 11, Firefox 25 - using Express.js server and HTTP basic authentication.
我刚刚在 Chrome 34、IE 11、Firefox 25 上测试了这个——使用 Express.js 服务器和 HTTP 基本身份验证。
回答by Thomas
What has worked for me in Chrome (Version 66) is to send an Ajax request to an URL that returns 401. That way the basic authentication cache seems to be cleared.
在 Chrome(版本 66)中对我有用的是向返回 401 的 URL 发送 Ajax 请求。这样基本身份验证缓存似乎被清除了。
var xhttp = new XMLHttpRequest();
xhttp.open("GET", "/url_that_returns_401", true);
xhttp.send();
