Can the HTTP response header Authorization be managed from the server?

I'm playing with HTTP Basic Authorization. As we all know, when a client gets a 401 error on requesting a page, the client must collect authorization credentials from the users (typically in the form of a pop-up window).

Subsequent requests for resources under that part of the URL will be accompanied by "Authorization: Basic [hash]" where [hash] is the username/password mashed together and hashed.

What I'm interesting in is getting the client to not send the Authorization header even when 开发者_运维百科requesting a resource that previously asked for it.

Three important questions:

1. Is this possible?

2. If possible, does this violate the HTTP/1.1 standard (I'm unclear that this case is covered by the spec)?

3. What browser support this?

Thanks for your time, Internet.

UPDATE: Apparently, this is an apache FAQ and I am SOL. Still, if you've got thoughts on this question, I'd love to hear about it. Thanks.

I don't think this is possible. The authenticated session lasts until the user shuts the browser window, and the browser will keep on blindly passing the credentials with each request under the same path.

Is there any specific reason why you want this functionality?

You can set the user and password in the URL:

http://user:password@example.com

If you use this syntax, the browser will generate the header for you.