I am using the basic authentication mechanism for my website in IIS. To logout the user I am using something similar to this JavaScript function:
function logoutUser() {
setTimeout('location.reload(true)', 1000);
xmlhttp = GetXmlHttpObject();
if (xmlhttp==null) {
return;
}
//alert(xmlhttp);
var url = "index.php";
xmlhttp.open("GET", url, true, "dummy_user", "dummy_password");
xmlhttp.setRequestHeader( "If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT" );
xmlhttp.setRequestHeader( 'Accept', 'message/x-formresult' );
xmlhttp.send(null);
}
function GetXmlHttpObject()
{
if (window.XMLHttpRequest)
{
// code for IE7+, Firefox, Chrome, Opera, Safari
return new XMLHttpRequest();
}
if (window.ActiveXObject)
{
// code for IE6, IE5
return new ActiveXObject("Microsoft.XMLHTTP");
}
return null;
}
The idea is to force a request with some invalid credentials, in order to invalidate the real credentials cached by the browser.
It is working fine in IE,Firefox, Safari, Google Chrome but not in Opera.
Please help me in this regard.
That setting invalid credentials in an
XMLHttpRequestshould cause valid credentials to be discarded is not something you can rely on. It happens to work in many browsers but it’s not at all standardised. Opera is not doing anything wrong by ignoring the credentials.There is no standard way to cause HTTP Basic Authentication credentials to be dropped. There’s one more way which works more widely, which is to have a link to
/logout, a script that responds401when the user has valid credentials instead of when they do not. That will pop open an auth dialog, in which the user can fill in nonsense values or just empty strings; then when/logoutis re-requested, it accepts those credentials, replacing the old ‘real’ ones.Pairing this method and
XMLHttpRequestis about the best you can do to provide logout capability for HTTP Authentication today.