Browser sending old "Authorization" header for subsequent requests

Question

We are experiencing an issue with Browser sending Authorization header of initial request for subsequent requests to the same requestURI.

Problem:

We have a webproject which has user specific business logic so we have this login logic where for the initial request, if we don't have a existing session we send a 401 response along with WWW-Authenticate: Basic realm="production site" header to get credentials via the client and the browser issues a rerequest with the Authorization header and we use it to create a sesssion and initiate the login process.

But however, once the browser cache & cookies are cleared the session gets destroyed but we are still getting the old(Got from the initial request) Authorization header sent to that URI.

We susupect it was cache issue but not sure.

Can someone please help us to understand whats happening here and why we are getting the same Authorization header everytime. Thanks in advance.

Answer 1

Basic/Digest authentication usually gets stored separate from the cache and is unrelated to cookies.

The server doesn't have a ton of control over this, but one way to force the browser to clear credentials is to just send a 401 with a new WWW-Authenticate header (even if the credentials you got are correct, you basically need some way to track that the intent was to log out), but this will create a new login dialog that the user will need to dismiss.

I'd recommend not mixing cookies and HTTP Authorization. You don't need sessions because you already know who's making the request.

Generally HTTP Auth in browsers kinda sucks and browser developers have not done a good job creating a good UX for this, which is why almost everyone just renders HTML login forms instead.