WWW-Authenticate signout

Question

I noticed that once Firefox pops up a modal in response to a WWW-Authenticate header in an HTTP response. Then, Firefox saves the username/password until Firefox is closed. The Web Developer plug-in makes it possible for developer-minded people to logout. But what HTTP message should be sent to the browser to lose those cached credentials?

Answer 1

I found a reasonable workaround. It's a bit involved, but works very well. I created a table with a GUID field. It didn't start with any records. Here's the solution:

1. User clicks "Logout".
2. Logout script adds a GUID to the new table.
3. Logout script redirect the user to a URL that has the GUID as a parameter.
4. When a user hits a URL with the GUID as a parameter, the system searches the table for the GUID.
   1. If the GUID is in the table, remove the record with the GUID and give an invalid username/password response code (even if the credentials are okay).
   2. If the GUID is not in the table, validate the credentials.

This new table can get bloated fast by hackers, so be sure each user can only have one entry in the table. You could also use timestamps and have a batch job to prune the table every so often.

Answer 2

I'm afraid there is no way to gracefully send the browser the order to stop keeping (and sending in each http request to your server) the credential that you reclaimed at the beginning of user's navigation (through http 401 response).

Answer 3

Firefox will clear it's cached WWW-auth UN/PW with a 403 Forbidden.

Chrome will clear with a 403 Forbidden or a 401 Not Authorized.

Safari will always prompt you if you want to cache or not.

IE is poop.