Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Sep 2004
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Problem with embeded username and password in Microsoft.XMLHTTP open() method

    Hi,

    My application is using Digest Authentication(RFC 2617). We use the Microsoft.XMLHTTP object in JavaScript to communicate with the server.

    Once user logs in successfully, username and password are cached by the browser. The browser send the credentials in each subsequent request (using the Authorization header) to the server.

    So when the user logs out of the application I have to flush out the username and password from the browser's cache so that when user logs in again using the same browser window the browser should prompt for the username and password.

    Previously this was done by the following javascript code snippet where username and g_newPwd are dummy string entries.

    var connection = new ActiveXObject("Microsoft.XMLHTTP");
    connection.open("POST", "/myApplication/", false, userName, g_newPwd);
    connection.send"bool");

    This would flush out the cached information.

    But now the Microsoft has issued a IE security patch Q832894 which prevents any embedded user credentials in the open method. After installing this patch my application was giving a script error for which the Microsoft again issued a couple of patches 831167 and 832414.

    After installing these patches the script error is gone but the cached user information still remains and therefore the browser does not prompt for the username and password and user gets logged in automatically.

    Is there any alternative solution to the connection.open method so that after logging out I can flush out the cached user information (specifically the Authorization header) from the browser.

    Note: myApplication is a servlet which does the authentication by checking the HttpRequest.getHeader("Authorization"). Previously after logging out this would return null but now the previously cached user credentials persist and so the user is logged in automatically.

    This is causing a security issue, please help.

  • #2
    New to the CF scene
    Join Date
    Feb 2007
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Post Credential caching problem with xmlHttp

    Hi,

    I'm also facing this problem. I've a VB app that connects to a secured webserice. When I run/debug the app, I'll be prompted for the usrname & pwd only during the first time. After this no matter how many times I run the app I'm not prompted for the credentials. Looks like, the xmlHttp object is caching the credentials and using them for connecting to the webservice.

    Can anybody tell me a solution/workaround for this problem.

    Thanks,
    Sai.

  • #3
    Regular Coder
    Join Date
    Jun 2002
    Location
    Adirondacks
    Posts
    516
    Thanks
    4
    Thanked 4 Times in 4 Posts
    couldn't you just delete and reinstall a cookie each time?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •