Logout form secure site

Apologies if this is not quite the correct ng to be asking this
question and sorry to be so vague in what I'm asking, but can anyone
give me any pointers to implementing a logout button from a secure web
site. Ie I want to supply a means to users of our staff extranet so
that their sessions may be closed securely at will. They login with a
user name and password and then they can end the session so that the
browser returns to a page outside of the secure area of the extranet
and the password is removed from their cache.

TIA

re: Logout form secure site

gary thomson wrote:[color=blue]
> Apologies if this is not quite the correct ng to be asking this
> question and sorry to be so vague in what I'm asking, but can anyone
> give me any pointers to implementing a logout button from a secure web
> site. Ie I want to supply a means to users of our staff extranet so
> that their sessions may be closed securely at will. They login with a
> user name and password and then they can end the session so that the
> browser returns to a page outside of the secure area of the extranet
> and the password is removed from their cache.[/color]

A session ties various stateless HTTP requests by sharing some data across
these requests. This is done preferably on the server side using session
variables in PHP, ASP or whatever. These session variables are saved
somewhere, eg. in a file. When someone logs out the store with the session
variables simply has to be deleted. How this is done depends on the
technology used. Therefore it might be better to ask in a PHP, ASP or
whatever group.

HTH,
Boris

re: Logout form secure site

On Mon, 7 Jun 2004, Boris wrote:
[color=blue]
> A session ties various stateless HTTP requests by sharing some data across
> these requests.[/color]

Right (though I'm not sure what this is doing in a specifically "HTML"
authoring group).
[color=blue]
> This is done preferably on the server side[/color]

Eh? HTTP itself is stateless: maintainence of state *has* to be a
co-operative process in which the "sharing" takes place between
both sides of the conversation. I.e passing some kind of unique token
to and fro between server and client.
[color=blue]
> using session variables in PHP, ASP or whatever.[/color]

I agree with the "or whatever". Although the implementation details
may vary, they are all based in the same underlying principles.

By the way, don't confuse this kind of thing with the "basic
authentication" mechanism of HTTP. Basic authentication doesn't
involve maintenance of state: the browser gets to learn, via the
exchange of 401 status, which basic credentials are appropriate for
accessing different parts of a site, and will then continue to supply
them auomatically, without any exchange of status information with the
server. Normally, that's done with credentials which remain stable
for long periods, and there's no particular defined mechanism for the
server to tell the client that it should forget a particular set of
credentials: that's something between the user and their browser.

This mechanism can be adapted by having the server report that the
credentials are no longer valid. But it's not a particularly robust
way of managing time-limited sessions, IMHO.
[color=blue]
> These session variables are saved somewhere, eg. in a file. When
> someone logs out the store with the session variables simply has to
> be deleted. How this is done depends on the technology used.
> Therefore it might be better to ask in a PHP, ASP or whatever group.[/color]

Agreed; but the underlying principles (of passing a token to and fro
between client and server) are the same no matter how they're
implemented in detail on the server side.

re: Logout form secure site

Alan J. Flavell wrote:[color=blue]
> On Mon, 7 Jun 2004, Boris wrote:
>[color=green]
>> A session ties various stateless HTTP requests by sharing some data
>> across these requests.[/color]
>
> Right (though I'm not sure what this is doing in a specifically "HTML"
> authoring group).
>[color=green]
>> This is done preferably on the server side[/color]
>
> Eh? HTTP itself is stateless: maintainence of state *has* to be a
> co-operative process in which the "sharing" takes place between
> both sides of the conversation. I.e passing some kind of unique token
> to and fro between server and client.[/color]

Yes. I only stressed server side as the OP said something with "password is
removed from their cache" (which sounded to me like a store on users'
machines).

Boris
[color=blue]
> [...][/color]

re: Logout form secure site

On Mon, 7 Jun 2004, Boris wrote:
[color=blue]
> Alan J. Flavell wrote:[color=green]
> > On Mon, 7 Jun 2004, Boris wrote:
> >[color=darkred]
> >> This is done preferably on the server side[/color]
> >
> > Eh? HTTP itself is stateless: maintainence of state *has* to be a
> > co-operative process in which the "sharing" takes place between
> > both sides of the conversation. I.e passing some kind of unique token
> > to and fro between server and client.[/color]
>
> Yes. I only stressed server side as the OP said something with "password is
> removed from their cache" (which sounded to me like a store on users'
> machines).[/color]

I see, thanks! If I misinterpreted what you were saying, then
please accept my apology.