True logout mechanism for Basic/Digest Authentication

Description

This patch allows to logout from Basic/Digest Auth without closing the browser.

On one hand Apache claims that it is not possible.
On the other hand, Nano Documet gives a solution that simply works.
The concept is explained on Berend de Boer page.

This patch works for tracd standalone. There's no need of Apache or any other server.

I am lazy tonight, so i give you only the file changes.
This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP. I have tested successfully Firefox 1.5 and Internet Explorer 6

Amazing! Tested successfully Firefox/2.0.0.2 (Linux) and Trac 0.10.3.1.

But not with konqueror :-(

Usage

  • file Share\trac\htdocs\js\trac.js, append at the end of file:
    function clearAuthenticationCache(page) {
      // Default to a non-existing page (give error 500).
      // An empty page is better, here.
      if (!page) page = '.force_logout';
      try{
        var agt=navigator.userAgent.toLowerCase();
        if (agt.indexOf("msie") != -1) {
          // IE clear HTTP Authentication
          document.execCommand("ClearAuthenticationCache");
        }
        else {
          // Let's create an xmlhttp object
          var xmlhttp = createXMLObject();
          // Let's prepare invalid credentials
          xmlhttp.open("GET", page, true, "logout", "logout");
          // Let's send the request to the server
          xmlhttp.send("");
          // Let's abort the request
          xmlhttp.abort();
        }
      } catch(e) {
        // There was an error
        return;
      }
    }
        
    function createXMLObject() {
      try {
        if (window.XMLHttpRequest) {
          xmlhttp = new XMLHttpRequest();
        }
        // code for IE
        else if (window.ActiveXObject) {
          xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
      } catch (e) {
        xmlhttp=false
      }
      return xmlhttp;
    }
    
  • file Lib\site-packages\trac\web\auth.py, locate method get_navigation_items, and change:
    yield ('metanav', 'logout',
           Markup('<a href="%s">Logout</a>' 
                  % escape(self.env.href.logout())))
    
    to:
    yield ('metanav', 'logout',
           Markup('<a href="%s" onclick="clearAuthenticationCache(\'%s\');">Logout</a>' 
                  % ((escape(self.env.href.logout()),) *2) ))
    
  • Now that's ok to start tracd and test logout feature.

(Patches for other versions below)

Comments

Thanks a ton! this works like a charm.

Has this been filed as a ticket, so it can be possibly included in future releases? bill.mill@gmail.com


Ticket #3577 ask to include this in future releases.
-- Florent

Recent Changes

[1138] by flox on 08/17/06 22:34:59

New hack TrueHttpLogoutPatch, created by flox

Author/Contributors

Author: flox
Contributors:


Here is the patch for 0.10 - by sgorilla

             yield ('metanav', 'logout', 
                    html.A('Logout', href=req.href.logout(), 
                           onclick="clearAuthenticationCache(\'%s\')" % req.href.logout()))

And here's the patch for 0.11 - by gt4329b:

            yield ('metanav', 'logout',
                    tag.a('Logout', href=req.href.logout(),
                         onclick="clearAuthenticationCache(\'%s\')" % req.href.logout() ))


You guys rock! I had created a 4 step script for people, but this actually does what logout is supposed to do :) For 0.8.4, rather than changing auth.py, you change the template file header.cs, by replacing this:

    <li><a href="<?cs var:trac.href.logout ?>">Logout</a>

with this

    <li><a href="<?cs var:trac.href.logout ?>"
    onclick="clearAuthenticationCache('<?cs var:trac.href.logout ?>')">Logout</a>

- by kriggs


Any way to have this work with AuthRequiredPlugin so that a logout doesn't immediately result in an auth dialog? (Yes, I realize this is the correct behavior with this patch and the plugin, just wanted to know if there's a simple workaround!)

Not sure what you're asking here. This patch is designed to provide true http logout for those using the http auth mechanism. The AuthRequiredPlugin is designed to work with the AccountManagerPlugin which provides form based login and already provides true logout. To accomplish the same net effect as the AuthRequiredPlugin with http auth, you merely need to move the auth information to the root of the trac environment as opposed to /login. Thus, I would recommend adjusting web server configuration and dropping the AuthRequiredPlugin or use the forms based login from AccountManagerPlugin --BladeHawke

-by Ross


problem with Opera 9.25 When I test the path with Opera the logout still does not work (remains on same page).


Using the following configuration: browsers under Mac OS X Leopard 10.5.2, server running FreeBSD 7.0, Apache 2.0 with SSL and Trac 10.1.

1) With Camino 1.6 works fine.

2) It doesn't work with Safari 3.1.1

-by Rik.


Confirmed that this patch does not work with Safari (3.1.2), but works fine with Camino. -lid (Jul 31 2008)

Attachments