11:55:18 AM
3FL0PJYH2
For example:
DO wwhttp LOCAL loHttp as wwHttp loHttp = CREATEOBJECT("wwHttp") ShowHtml(loHttp.HttpGet("http://www.west-wind.com/admin","rstrahl",GetSystemPassword() )) WAIT WINDOW ShowHtml(loHttp.HttpGet("http://www.west-wind.com/admin","rstrahl","bogus")) WAIT WINDOW ShowHtml(loHttp.HttpGet("http://www.west-wind.com/admin"))
This code logs me in on the first request (access allowed), which simulates a logon. Then to 'log out' I log on again with bogus credentials which results in a 401 Not authorized. The last call then following that without credentials fails also with a 401 not authorized.
So you can effectively log out of Windows Auth...
+++ Rick ---
Yes, it is the windows credentials. We are integrating to a voice recording software application. We have two integration features, 1 which creates a http link to a voice recording stored in the voice recording software and one that allows the playback on the stored recording. To playback a recording we utilize a special account that has been created on the voice recording software and control security to playback the recordings via our software. To add a link to a voice recording the standard windows creditials should be used. The problem reported by the voice recording vendor is that after playback the special account/password is used for the other integration functions and should not be. Other functions should use the windows credentials. User accounts on the voice recording software do not normally have rights to playback voice recordings as this is considered a management function.
thanks,
Stuart
Yes that would work. But I think there might be easier ways to solve this. You haven't been very specific of what actually caches...
If it's Windows credentials.
+++ Rick ---
I appreciate your reply. When you state:
"FWIW, this is the way HTTP is supposed to work. You can't release an auth token unless you shut down the app except if the app has some way to explicitly do that for you."
Does this mean if I move the code from my main application into a standalone exe and launch this exe each time that the auth token would be released?
Stuart
Hi Stuart,
Not that I know of. Basically wwHttp uses WinInet which acts like a single browser instance in a process. Once loaded the HTTP instance and 'session' stays live so it remembers cookies and Windows authentication tokens. The only way I know how to unload is to actually access the authentication link and physically log out. IOW, the server has to log you out and invalidate your credentials.
With cookie based (ie. application based) security this is pretty easy - the server app has a logout function that you can call that effectively releases the cookie. You can also do that on hte client by explicitly adding the same cookie and clearing the value.
For authentication this might actually also work. Authentication tokens for various security mechanisms are carried via headers in HTTP - you can take a look at the headers used (typically the Authorization: header) and explicitly set that to blank in your code. This should invalidate the server authentication and hopefully force you to log back in.
FWIW, this is the way HTTP is supposed to work. You can't release an auth token unless you shut down the app except if the app has some way to explicitly do that for you.
+++ Rick ---
I am having a problem with IE storing username/password credentials after issueing the wwhttp, httpget command. Is there an easy way to force the credential caching to be cleared?
The code that I use is simple:
do wwhttp.prg
ohttp=createobject('wwHTTP')
lchtml = ohttp.httpget(<hhtp path>, <username>,<password>,<voice file to retreive>)
< Playback the voice file >
ohttp.destroy()
release ohttp
thanks,
Stuart
West Wind Technologies
Making waves on the Web
from Maui, Hawaii
