On Jan 28, 2010, at 8:09 AM, Andreas Fuchs wrote:
On Thu, Jan 28, 2010 at 15:57, Patrick May patrick.may@mac.com wrote:
I don't think this is a Hunchentoot issue, but I thought I'd ask here first. I've noticed that Safari seems to cache the basic authorization username and password, so that even if I call (remove-session *session*) on the server side, Safari just reloads the page.
AFAIK, every browser does this. It's the only way HTTP Basic auth can work without being terribly annoying to the user.
Am I interpreting the behavior correctly? If so, how do I force a re-authorization?
To "log out" the user, you need to return a 401 Unauthorized status (see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), which will prompt the browser to display the user/password dialog box again. If the user presses Cancel enough times, they'll finally be logged out.
It's terribly convoluted, but that's Basic auth for you /-:
Yes. That is why IMHO basic auth (and in fact all HTTP auth schemes) should never be used. They are fundamentally b0rken.
rg