[owasp-intrinsic-security] HTTP Authentication

Bil Corry bil at corry.biz
Thu Oct 30 11:35:26 EDT 2008

Another area of browser security that could use some help is HTTP Authentication; specifically, there isn't a straightforward way to "logout" the user -- that is, tell the browser to stop sending the authentication header.  In some browsers (all?), you actually have to quit the browser entirely to do it.

>From the user's perspective, one welcome change would be closing all windows associated with the site should terminate sending the authentication header on future visits to the site.

- Bil

More information about the owasp-intrinsic-security mailing list