Re: mod_plsql LOGMEOFF -- how does it work? --> it really is smoke and mirrors
Date: Sat, 5 Mar 2005 08:59:53 -0500
Message-ID: <uoSdnQuu3oLBJrTfRVn-uQ_at_comcast.com>
"Mark C. Stock" <mcstockX_at_Xenquery .com> wrote in message news:9cOdnSoWkpOvM7TfRVn-uw_at_comcast.com...
> "Malcolm Dew-Jones" <yf110_at_vtn1.victoria.tc.ca> wrote in message > news:4228b704_at_news.victoria.tc.ca...
>> Mark C. Stock (mcstockX_at_Xenquery.com) wrote:
>> : when user mod_plsql, appending LOGMEOFF to a DAD clears the browser's
>> : credentials
>>
>> : does anybody know how this is done (what HTML headers might be sent?)??
>>
>> : i need to do this in a non-oracle PHP app, and i can't find any
>> references
>> : to how this is possible without having the browser prompt for new
>> : credentials, yet somehow mod_plsql is accomplishing it
>>
>> : ++ mcs
>>
>> If it is the headers you need (maybe/maybe not), then do the following.
>>
>> Install a proxy on your PC, point your browser through that local proxy,
>> then browse the site, and then logof.
>>
>> Examine the proxy logs to see the headers.
>>
>> I have used Proxomitron with great success in the past.
>>
>> There are other ways to examine the headers, but having a proxy to
>> monitor
>> everything is generally useful for many web tasks, so well worth the
>> small
>> effort to get and setup.
>>
>>
>> --
Well, that did it, Malcom...
Turns out that the mod_plsql (10g, 9.0.4.0) LOGMEOFF 'page' doesn't clear credentials, it simply switches realms
I had noticed that the realm included the DAD plus a timestamp, but not put 2 and 2 together.
Here's what it does:
The LOGMEOFF request responses with a 200 OK header but sets a WDB_GATEWAY_LOGOUT=YES cookie.
On the next request, the cookie is evidently detected, and a 401 header is returned, but the realm is changed to the DAD plus a new timestamp.
Once new credentials are received and validated, the cookie is reset and expired.
Very clever, those Oraclites.
Thanks again for the tip.
++ mcs Received on Sat Mar 05 2005 - 14:59:53 CET