[Webkit-unassigned] [Bug 44823] New: Support document.execCommand("ClearAuthenticationCache")

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Aug 28 10:53:04 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=44823

           Summary: Support
                    document.execCommand("ClearAuthenticationCache")
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Enhancement
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mackyle at gmail.com


EditorCommand.cpp <http://trac.webkit.org/browser/trunk/WebCore/editing/EditorCommand.cpp> does not currently support ClearAuthenticationCache.

When using HTTP authentication (via the 401 Authorization Required, WWW-Authenticate, Authorization mechanisms -- see RFC 2617 <http://tools.ietf.org/html/rfc2617>), there does not currently seem to be a way to clear the authentication cache in WebKit-based browsers so that the next request will always generate a log in dialog for the user.

This precludes providing a logout mechanism when HTTP Authentication is used.  Possibly this could even be considered a security hole as if the browser is not quit, another user could then access the page with the same cached credentials.

IE 6 sp1 and later (see <http://msdn.microsoft.com/en-us/library/ms536979.aspx>) support the ClearAuthenticationCache command (via document.execCommand) to provide this functionality and clear the authentication cache on the browser side without requiring any server-side support whatsoever.

Firefox also does not currently support ClearAuthenticationCache, however Firefox does clear the authentication cache for a specific authorization realm when it receives a 401 response after sending an authorization header.  In other words, if Firefox tries a cached user/password combination for an authorization realm and it fails (401 response), it clears the cache since there would be no point in trying that failing user/password combination again.  Safari, on the other hand, stubbornly hangs on to the last used user/password combination in the authorization cache even if it resulted in a 401 response.

So there is an ugly hackaround available for Firefox in that if you use a JavaScript XMLHttpRequest to retrieve an authorization required URI for the authorization realm you wish to log out of with an invalid user/password combination and then abort the request, Firefox will have cleared the authentication cache.  Safari, however, will not as it always hangs on to the last used user/password.  Regardless, this is an ugly hack as it generates unwanted traffic to the server as well as a server log entry and requires explicit server configuration to support.

Providing a means to clear the authentication cache without using hacky, non-documented solutions is desired for WebKit based browsers and document.execCommand("ClearAuthenticationCache") could provide that mechanism for WebKit just like it does for IE 6 sp1 and later.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list