wiki:TrueHttpLogoutPatch

Version 7 (modified by sgorilla, 8 years ago) (diff)

--

True logout mechanism for Basic/Digest Authentication

Description

This patch allows to logout from Basic/Digest Auth without closing the browser.

On one hand Apache claims that it is not possible.

On other hand, Nano Documet give a solution that works with most recent browsers.

This patch works for tracd standalone. There's no need of Apache or any other server.

I am lazy tonight, so i give you only the file changes.
This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP. I have tested successfully Firefox 1.5 and Internet Explorer 6

Usage

  • first remove buggy AuthFormPlugin. ;-)
    (security flaw: any user can login to another account without password)
  • file Share\trac\htdocs\js\trac.js, append at the end of file:
    function clearAuthenticationCache(page) {
      // Default to a non-existing page (give error 500).
      // An empty page is better, here.
      if (!page) page = '.force_logout';
      try{
        var agt=navigator.userAgent.toLowerCase();
        if (agt.indexOf("msie") != -1) {
          // IE clear HTTP Authentication
          document.execCommand("ClearAuthenticationCache");
        }
        else {
          // Let's create an xmlhttp object
          var xmlhttp = createXMLObject();
          // Let's prepare invalid credentials
          xmlhttp.open("GET", page, true, "logout", "logout");
          // Let's send the request to the server
          xmlhttp.send("");
          // Let's abort the request
          xmlhttp.abort();
        }
      } catch(e) {
        // There was an error
        return;
      }
    }
        
    function createXMLObject() {
      try {
        if (window.XMLHttpRequest) {
          xmlhttp = new XMLHttpRequest();
        }
        // code for IE
        else if (window.ActiveXObject) {
          xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
      } catch (e) {
        xmlhttp=false
      }
      return xmlhttp;
    }
    
  • file Lib\site-packages\trac\web\auth.py, locate method get_navigation_items, and change:
    yield ('metanav', 'logout',
           Markup('<a href="%s">Logout</a>' 
                  % escape(self.env.href.logout())))
    
    to:
    yield ('metanav', 'logout',
           Markup('<a href="%s" onclick="clearAuthenticationCache(\'%s\');">Logout</a>' 
                  % ((escape(self.env.href.logout()),) *2) ))
    
  • Now that's ok to start tracd and test logout feature.

Comments

Thanks a ton! this works like a charm.

Has this been filed as a ticket, so it can be possibly included in future releases? bill.mill@…


Ticket #3577 ask to include this in future releases.
-- Florent

Recent Changes

[1138] by flox on 2006-08-17 22:34:59
New hack TrueHttpLogoutPatch, created by flox

Author/Contributors

Author: flox
Contributors:

Here is the patch for 0.10 - by sgorilla

             yield ('metanav', 'logout', 
                    html.A('Logout', href=req.href.logout(), 
                           onclick="clearAuthenticationCache(\'%s\')" % req.href.logout()))

Attachments (2)

Download all attachments as: .zip