= True logout mechanism for Basic/Digest Authentication =
== Description ==
This patch allows to logout from Basic/Digest Auth without closing the browser.
On one hand Apache [http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq claims that it is not possible].
On other hand, Nano Documet [http://nanodocumet.homedns.org/rest/ give a solution] that works with most recent browsers.
This patch works for `tracd` standalone. There's no need of Apache or any other server.
I am lazy tonight, so i give you only the file changes.[[BR]]
This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP.
I have tested successfully ''Firefox 1.5'' and ''Internet Explorer 6''
== Usage ==
* first remove buggy AuthFormPlugin. ;-)[[BR]]
(security flaw: any user can login to another account without password)
* file `Share\trac\htdocs\js\trac.js`, append at the end of file:
{{{
function clearAuthenticationCache(page) {
// Default to a non-existing page (give error 500).
// An empty page is better, here.
if (!page) page = '.force_logout';
try{
var agt=navigator.userAgent.toLowerCase();
if (agt.indexOf("msie") != -1) {
// IE clear HTTP Authentication
document.execCommand("ClearAuthenticationCache");
}
else {
// Let's create an xmlhttp object
var xmlhttp = createXMLObject();
// Let's prepare invalid credentials
xmlhttp.open("GET", page, true, "logout", "logout");
// Let's send the request to the server
xmlhttp.send("");
// Let's abort the request
xmlhttp.abort();
}
} catch(e) {
// There was an error
return;
}
}
function createXMLObject() {
try {
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
}
// code for IE
else if (window.ActiveXObject) {
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
} catch (e) {
xmlhttp=false
}
return xmlhttp;
}
}}}
* file `Lib\site-packages\trac\web\auth.py`, locate method `get_navigation_items`, and change:
{{{
yield ('metanav', 'logout',
Markup('Logout'
% escape(self.env.href.logout())))
}}}
to:
{{{
yield ('metanav', 'logout',
Markup('Logout'
% ((escape(self.env.href.logout()),) *2) ))
}}}
* Now that's ok to start `tracd` and test logout feature.
== Comments ==
Thanks a ton! this works like a charm.
Has this been filed as a ticket, so it can be possibly included in future releases? [mailto:bill.mill@gmail.com bill.mill@gmail.com]
== Recent Changes ==
[[ChangeLog(truehttplogoutpatch, 3)]]
== Author/Contributors ==
'''Author:''' [wiki:flox] [[BR]]
'''Contributors:'''