View Full Version : Problem with embeded username and password in Microsoft.XMLHTTP open() method

09-29-2004, 04:02 PM

My application is using Digest Authentication(RFC 2617). We use the Microsoft.XMLHTTP object in JavaScript to communicate with the server.

Once user logs in successfully, username and password are cached by the browser. The browser send the credentials in each subsequent request (using the Authorization header) to the server.

So when the user logs out of the application I have to flush out the username and password from the browser's cache so that when user logs in again using the same browser window the browser should prompt for the username and password.

Previously this was done by the following javascript code snippet where username and g_newPwd are dummy string entries.

var connection = new ActiveXObject("Microsoft.XMLHTTP");
connection.open("POST", "/myApplication/", false, userName, g_newPwd);

This would flush out the cached information.

But now the Microsoft has issued a IE security patch Q832894 which prevents any embedded user credentials in the open method. After installing this patch my application was giving a script error for which the Microsoft again issued a couple of patches 831167 and 832414.

After installing these patches the script error is gone but the cached user information still remains and therefore the browser does not prompt for the username and password and user gets logged in automatically.

Is there any alternative solution to the connection.open method so that after logging out I can flush out the cached user information (specifically the Authorization header) from the browser.

Note: myApplication is a servlet which does the authentication by checking the HttpRequest.getHeader("Authorization"). Previously after logging out this would return null but now the previously cached user credentials persist and so the user is logged in automatically.

This is causing a security issue, please help.

02-04-2007, 06:55 PM

I'm also facing this problem. I've a VB app that connects to a secured webserice. When I run/debug the app, I'll be prompted for the usrname & pwd only during the first time. After this no matter how many times I run the app I'm not prompted for the credentials. Looks like, the xmlHttp object is caching the credentials and using them for connecting to the webservice.

Can anybody tell me a solution/workaround for this problem.


02-04-2007, 07:48 PM
couldn't you just delete and reinstall a cookie each time?