Re: mod_plsql LOGMEOFF -- how does it work?

From: Thomas Kyte <thomas.kyte_at_oracle.com>
Date: 5 Mar 2005 03:46:56 -0800
Message-ID: <120023216.0000baa8.015_at_drn.newsguy.com>

In article <Jt-dnXyNdJBv3rTfRVn-qA_at_comcast.com>, Mark C. Stock says...
>
>
>"Thomas Kyte" <thomas.kyte_at_oracle.com> wrote in message
>news:119986625.0000629b.040_at_drn.newsguy.com...
>> In article <4KudnYNUZqcXObXfRVn-sQ_at_comcast.com>, Mark C. Stock says...
>>>
>>>when user mod_plsql, appending LOGMEOFF to a DAD clears the browser's
>>>credentials
>>>
>>>does anybody know how this is done (what HTML headers might be sent?)??
>>>
>>>i need to do this in a non-oracle PHP app, and i can't find any references
>>>to how this is possible without having the browser prompt for new
>>>credentials, yet somehow mod_plsql is accomplishing it
>>>
>>>++ mcs
>>>
>>>
>>
>>
>> flashback to a time long long ago....
>>
>> I wrote logmeoff :)
>>
>> http://asktom.oracle.com/~tkyte/owarepl/doc/dbauth.html#logoff
>>
>> don't try to use the code there (was for the old OWS 2.1 version -- before
>> iAS
>> 10g, iAS 9i, owas 4.0, owas 3.0 there was ows 2.1 and 2.0 and ois 1.0.
>> this
>> dates back that far...)
>>
>>
>> --
>> Thomas Kyte
>> Oracle Public Sector
>> http://asktom.oracle.com/
>> opinions are my own and may not reflect those of Oracle Corporation
>
>thanks tom, but how's it actually work, if you can let us know...
>
>the link states:
>
><snip>
>What we need to do is trick the browser into remembering a 'bad'
>username/password pair for a given Realm/Host/Port. We do this in the
>cartridge (or cgi-bin) application by recognizing a special URL, 'LogMeOff'.
>In order to log off you will:
>
> http://YourHost:YourPort/YourDCDName/owa/LogMeOff
>
>This will alway cause the cartridge to fail authentication (unless the magic
>username is used). It will not attempt to log in or do anything in the
>database, it will just fail the authentication.
>
>This will cause the browser to pop up the basic authentication dialog. No
>matter what combination of username/password you put in, it will fail at
>this point (unless the magic username is used).
></snip>
>

My code, in the 'cartrdige' would simply say "unless the password is 'bye' or 'exit', fail the authentication

Meaning, you have to be doing the authentication in the first place (the application must be doing it). I did all authentication, the webserver did none, it relied on my.

So, if you used logmeoff -- i saw that URL and say "I'm going to fail your authentication unless you use the password 'bye'". At that point, when you did, the browser would recieve "successful login". Now, when you would goto any other page -- one that was not named "logmeoff", your password of bye would be invalid and it would fail again, but the browser would not remember your old credentials so you would once again get prompted.

>I notice that in 10gAS (and, as I recall, in 9iAS) the authentication dialog
>does not pop up (I assume it did in earlier releases).
>
>In my HTML code, if I just send the 401 and www-Authenticate headers, the
>dialog pops up. What headers do you guys send in 10g to just get the browser
>to clear its credentials without popping of the dialog? (or if that sounds
>like a request for proprietery information, may I rephrase it as "What
>headers do you think probably need to be sent....")
>
>Thanks for your input.
>
>++ mcs
>
>

-- 
Thomas Kyte
Oracle Public Sector
http://asktom.oracle.com/
opinions are my own and may not reflect those of Oracle Corporation

Received on Sat Mar 05 2005 - 12:46:56 CET

This message: [ Message body ]
Next message: Mark C. Stock: "Re: mod_plsql LOGMEOFF -- how does it work?"
Previous message: Frank van Bortel: "Re: Version control of Oracle Stored Objects."
Maybe in reply to: Mark C. Stock: "mod_plsql LOGMEOFF -- how does it work?"
In reply to Mark C. Stock: "Re: mod_plsql LOGMEOFF -- how does it work?"
Next in thread: Mark C. Stock: "Re: mod_plsql LOGMEOFF -- how does it work?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message