89
15
How can I make Firefox "invalidate" it's saved HTTP Basic Auth credentials for a website from the client side?
Currently, I have to restart the browser, which is rather cumbersome with multiple tabs open.
Is there a way to do this without having to restart Firefox/clear the cache/etc.
MiffTheFox
Posted 2010-08-27T21:05:39.597
Reputation: 3 032
79
You can choose Clear Recent History from the History menu (Ctrl + Shift + Del, Macs: Cmd ⌘ + Shift + Del). You can then select to just clear Active Logins from the details to just clear those sessions.
In older versions of Firefox (such as FF3), Clear Recent History is under the Tools menu. The shortcut is the same.
heavyd
Posted 2010-08-27T21:05:39.597
Reputation: 54 755
67
If you change username and password from the original session to one which will not authenticate, Firefox will destroy all reference to the old authentication and attempt the new one.
You can change/set authentication by adding user:pass@ to the beginning of the URL, example: http://user:pass@www.example.com/
If you are logged into www.example.com with user:pass then typing (adding to the beginning of the address) anything@ will cause this to happen, example: http://abc@www.example.com/
A fast fix which doesn't require any plugins.
Please note this only works for HTTP Basic Auth.
An additional side benefit is this will affect only the website you are interacting with. All other logins to any other website will remain active.
Drew Anderson
Posted 2010-08-27T21:05:39.597
Reputation: 771
@DrewAnderson last time I checked, only firefox supported the user:pass@ notation in the url bar. – masterxilo – 2019-06-17T11:36:56.723
7This is an awesome answer. Simple, easy-to-use, no additional software required, and clever in a non-obviously obvious sort of way. – wfaulk – 2013-03-19T16:30:56.623
3On a side note, this should work with most other browsers also, including Chrome and Internet Explorer (IE) – Drew Anderson – 2013-09-19T08:51:50.623
10
The Web Developer toolbar allows HTTP authentication to be reset within a browser session.
From Firefox's Context Menu, choose Web Developer -> Miscellaneous -> Clear Private Data -> HTTP Authentication.
boot13
Posted 2010-08-27T21:05:39.597
Reputation: 5 551
1Can't find this on current Firefox – Scolytus – 2015-02-12T07:44:05.773
3Unfortunately, that feature seems to have disappeared at some point since I posted this answer. – boot13 – 2015-02-12T13:25:26.797
1Just tested it, works! Please note: that's not part of Firefox's bundled dev tools, you have to install the linked add-on. – Diego V – 2017-10-25T08:08:50.700
3
Make the request from a private window.
In Firefox: File - New Private Window (Ubuntu Ctrl+Shift+P)
In Chrome New incognito Window (Ubuntu Ctrl+Shift+N)
tobias.h
Posted 2010-08-27T21:05:39.597
Reputation: 131
2
there is no way for the website to offer a log out option
This is wrong. There are several and simple ways for the website to offer a logout options.
1) Logout link will point to a URL on the same domain containing credentials that are intentionally incorrect
2) Logout link will trigger javascript with following code snippet (Microsoft Internet Explorer only):
<script>document.execCommand('ClearAuthenticationCache', 'false');</script>
Jan Cinert
Posted 2010-08-27T21:05:39.597
Reputation: 21
3there doesn't seem to be a way to reliably invalidates credentials that behaves consistently across browses and doesn't pop up an unwanted login box. – Michael – 2014-12-16T16:42:45.297
Logout link using incorrect credentials is already covered in another answer
– Dmitry Grigoryev – 2015-10-02T22:54:08.1970
Not sure if this will help anyone else, but in my case i thought that it was a bad password that firefox was storing when i couldn't access a site with basic HTTP authentication. But it turns out that site was actually using NTLMv1 (windows version of basic http authentication) which firefox has now disabled by default since version 30.
To enable go to about:config, and set the pref network.negotiate-auth.allow-insecure-ntlm-v1 to True.
Firefox does not prompt for password for http authenticated sites, how to make it prompt?
deweydb
Posted 2010-08-27T21:05:39.597
Reputation: 121
-2
Well, I expire the client's PHPSESSIONID. When you expire it, it will remove it from the client browser. The second step (which I haven't figured out) would be to delete the session cookie on the server side that would remove the auth state on the server before it times out and will prevent the server from generating a new phpsessionid when it see this client without the cookie.
<script type="text/javascript">
document.cookie = "PHPSESSID=;Path=/;expires=Thu, 01 Jan 1970 00:00:01 GMT;";
</script>
drtechno
Posted 2010-08-27T21:05:39.597
Reputation: 99
An HTTP basic authentication does not imply a session in the server, neither a cookie. Also, even if it did, your solution would not work in almost any case since nowadays almost all session cookies are marked as secure which forbids javascript to access them. – NuTTyX – 2017-11-19T20:04:58.097
well it takes a cookie out of firefox browser when I look at the cookies, but there is more to it. when I clear the bowser cache and delete active logins, then when I go back to the directory on the website I get the http auth dialog box. I wonder if there is a global command that will flush its active login from the browser. If not, there should be. – drtechno – 2017-11-25T03:19:07.563
My bad, I meant "http-only" flag which forbids javascript to access the data inside the cookie programmatically. As for the original question itself, I stumbled upon a way which would make some browsers forget, but in some cases (like in IE) they have rendered it unusable for security reasons: if you type the url prefixed by a nonexistent user and password, they would "overwrite" your previous login: https://logoff:nopasswd@www.site.com
– NuTTyX – 2018-06-09T15:34:36.563-4
The easiest way is to log out from the site instead of just closing the tab. If this is not an option and you know before hand you will be visiting a site you want forgotten you can install Sandboxie and run your Firefox (or any browser) in a sandbox. Delete the contents of the sandbox when done and everything you have done is gone.
Beaner
Posted 2010-08-27T21:05:39.597
Reputation: 3 193
12HTTP authentication is a special type of HTTP header that causes your web browser to prompt you for a user name and password, then re-send it automatically when it's needed. When a website uses this type of authentication, there is no way for the website to offer a log out option. In most browsers, you have to close the browser for it to forget your login information. – Bavi_H – 2010-08-28T02:19:42.370
@Bavi_H: I've heard that some browsers will forget existing sessions if the site sends a HTTP 401 while logged in. – user1686 – 2011-10-11T17:46:43.810
1Just clearing site cookies do not invalidate saved username and password for basic authentication. – Petr Gladkikh – 2012-08-28T04:13:30.567
works on firefox thanx – themhz – 2016-10-06T15:36:01.210
7In the current Firefox, this menu option is in the
Historymenu, notTools. I verified this with Firefox 29.0.1. – Mei – 2014-05-20T16:13:21.603