This is G o o g l e's cache of http://www.lp.se/ftp/mailinglists/PWDCHG.1998-03.
G o o g l e's cache is the snapshot that we took of the page as we crawled the web.
The page may have changed since that time. Click here for the current page without highlighting.

Google is not affiliated with the authors of this page nor responsible for its content.

These search terms have been highlighted:

levitte

Archive-Date: Tue, 24 Mar 1998 19:28:13 +0100
From: thomasgd@omc.bt.co.uk (Greg Thomas)
Reply-To: PWDCHG@lp.se
To: PWDCHG@lp.se
Subject: When passwords have changed
Date: Tue, 24 Mar 1998 18:28:02 GMT
Message-ID: <352af70a.29975852@www.omc.bt.co.uk>
References: <9790-Fri13Jun199716:13:35+0200-levitte@lp.se> <3500d3ec.330956640@www.omc.bt.co.uk>
In-Reply-To: <3500d3ec.330956640@www.omc.bt.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Again, at the risk of kicking this list into life again, a further
question for anyone out there ...

I now have a (non-priv'd) script that will change the users password.
_But_ browsers tend to cache the old password, not the new one. What I
figured I could do was;

1. Script called (GET); displays form for username, password, with a
hidden field for the user authentication data - WWW_HTTP_AUTHORIZATION
from CGI_SYMBOLS - as the script is password protected. Script submits
data to itself.
2. Script is called (POST);=20
2a. If the authentication data in the form data is the same as the one
retrieved from CGI_SYMBOLS, then change the users password. If it was
successful, then return "HTTP/1.0 Error 401 Unauthorized". This should
force the browser to pop-up a new username/password entry box, the
user enters his new password, and the browser should re-submit the
form with a different password (and hence a different
WWW_HTTP_AUTHORIZATION).
2b. If the authentication data in the form is different from the one
retrieved from CGI_SYMBOLS, then the user has changed his password and
the browser knows about it. Just display a message to say the password
has been changed.

The only flaw with this process is that the authenticators cache the
users data for a while - is there an easy way to force that cache to
be flushed in step 2a?

You might ask why not just flush the authenticator cache straight away
after changing the password - the browser would prompt for a new
password next time around. You could do but that would cause an
unnecessary intruder alert on the system (as the authenticator fails
to validate the old password), which I am keen to avoid. It depends on
how lazy I feel when/if I ever get around to implementing it.

Comments, anyone?

Any ideas about flushing the authenticator password cache?

Greg