Ok, this seems to be a know issue with FireFox. I found various "indirect" articles:
http://lists.macosforge.org/pipermail/webkit-unassigned/2006-March/006196.html http://lullabiesincode.blogspot.com/2007/02/problem-with-firebug-and-http.html Even one that says FireBug might be the issue: http://code.google.com/p/fbug/issues/detail?id=19&can=2 But I tried this on another machine with firefox sans Firebug with the same issue. However, this article seems to confirm the issue: http://www.berenddeboer.net/rest/authentication.html and it came up to the same conclusion: ------ quote ---- So a logout can be either of two things: logout, but also logging again. Logout and login are actually the same thing! Once this concept is grasped, the solution falls into place quite nicely: 1. The logout link is the same as the login link. 2. We add a special query string to it so login can deny access on the first attempt, forcing the browser to display the login dialog box. The "first attempt" is the issue here. ------ unquote ---- The rest of the article suggest a solution but this is not generic and in addition, there some DIGEST options that will change the picture slightly like we discoverd in our DIGEST + COOKIE method to remove Browser Credentials. It works perfectly for all browsers except with FIREFOX/XHR. So this seems to be more germane to XHR implementation in FireFox because the credentials are always passed for with the URL paths are different. Not just with XHR. So I need to continue looking to see if this can be solved for FireFox. Any "time saving" comments would be appreciated. :-) --- HLS On Aug 29, 6:01 pm, Pops <[EMAIL PROTECTED]> wrote: > I'm pulling my hair on this one. It might not be a jQuery issue but > just the BROWSER issue. But since I am planning to use jQuery, the > issue applies to it as well. > > First, this is under FIREFOX only. I don't see this behavior with IE > and OPERA. But I think maybe it may something by FF design and/or the > others don't see it as a "Security issue." > > I can reduce the issue to this and I'm looking for an answer: > > - I am using XHR to login and XHR to logout. > - The /Logout Url is not work because the Authentication header is > not passed with the XHR > > I narrowed it down to this: > > If the original URLl PATH (not domain) that forced a login is > different from the "/logout" url, then XHR will not pass the > Authentication header. > > So I can have this for example: > > // Four Buttons binded to XHR calls > > $("#btnLogin").click($.get("/login")); > $("#btnLogout").click($.get("/logout")); > $("#btnUrl1").click($.get("/folder1/someurl")); > $("#btnUrl2").click($.get("/folder2/someurl")); > > if the user logs in via the login button, and then log off via the > logout button, its all fine. > > However, if the user goes directly to a private side folder url by > clicking the folder buttons, the server forces the login as expected, > but from that point, the logout button doesn't work because the XHR is > no longer sending the Authentication Header. > > So its not a Cross-Domain thing but a Cross Folder issue. > > Make sense? > > If so, how can I resolve this with jQuery and Firefox or I am beating > a dead horse? > > -- > HLS
