True logout mechanism for Basic/Digest Authentication


This patch allows you to logout from Basic/Digest Auth without closing the browser.

The concept is explained on Berend de Boer page.

This patch works for tracd standalone. There's no need of Apache or any other server. This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP.


  • Tested successfully with Firefox and Internet Explorer 6.
  • It works fine with Camino.
  • It may not work with Safari and Konqueror.


  • file Share\trac\htdocs\js\trac.js, append at the end of file:
    function clearAuthenticationCache(page) {
      // Default to a non-existing page (give error 500).
      // An empty page is better, here.
      if (!page) page = '.force_logout';
        var agt=navigator.userAgent.toLowerCase();
        if (agt.indexOf("msie") != -1) {
          // IE clear HTTP Authentication
        else {
          // Let's create an xmlhttp object
          var xmlhttp = createXMLObject();
          // Let's prepare invalid credentials
"GET", page, true, "logout", "logout");
          // Let's send the request to the server
          // Let's abort the request
      } catch(e) {
        // There was an error
    function createXMLObject() {
      try {
        if (window.XMLHttpRequest) {
          xmlhttp = new XMLHttpRequest();
        // code for IE
        else if (window.ActiveXObject) {
          xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      } catch (e) {
      return xmlhttp;
  • file Lib\site-packages\trac\web\, locate method get_navigation_items, and change:
    yield ('metanav', 'logout',
           Markup('<a href="%s">Logout</a>' 
                  % escape(self.env.href.logout())))
    yield ('metanav', 'logout',
           Markup('<a href="%s" onclick="clearAuthenticationCache(\'%s\');">Logout</a>' 
                  % ((escape(self.env.href.logout()),) *2) ))
  • Now that's ok to start tracd and test logout feature.

(Patches for other versions below)

Recent Changes

1138 by flox on 2006-08-17 22:34:59
New hack TrueHttpLogoutPatch, created by flox


Author: flox
Maintainer: Florent


Thanks a ton! this works like a charm.

Has this been filed as a ticket, so it can be possibly included in future releases? bill.mill@…

Ticket #3577 ask to include this in future releases.

-- Florent

Here is the patch for 0.10 - by sgorilla

             yield ('metanav', 'logout', 
                    html.A('Logout', href=req.href.logout(), 
                           onclick="clearAuthenticationCache(\'%s\')" % req.href.logout()))

And here's the patch for 0.11 - by gt4329b:

            yield ('metanav', 'logout',
                    tag.a('Logout', href=req.href.logout(),
                         onclick="clearAuthenticationCache(\'%s\')" % req.href.logout() ))

You guys rock! I had created a 4 step script for people, but this actually does what logout is supposed to do :) For 0.8.4, rather than changing, you change the template file header.cs, by replacing this:

    <li><a href="<?cs var:trac.href.logout ?>">Logout</a>

with this

    <li><a href="<?cs var:trac.href.logout ?>"
    onclick="clearAuthenticationCache('<?cs var:trac.href.logout ?>')">Logout</a>
  • by kriggs

Any way to have this work with AuthRequiredPlugin so that a logout doesn't immediately result in an auth dialog? (Yes, I realize this is the correct behavior with this patch and the plugin, just wanted to know if there's a simple workaround!)

Not sure what you're asking here. This patch is designed to provide true http logout for those using the http auth mechanism. The AuthRequiredPlugin is designed to work with the AccountManagerPlugin which provides form based login and already provides true logout. To accomplish the same net effect as the AuthRequiredPlugin with http auth, you merely need to move the auth information to the root of the trac environment as opposed to /login. Thus, I would recommend adjusting web server configuration and dropping the AuthRequiredPlugin or use the forms based login from AccountManagerPlugin --BladeHawke

-by Ross

problem with Opera 9.25 When I test the path with Opera the logout still does not work (remains on same page).

Using the following configuration: browsers under Mac OS X Leopard 10.5.2, server running FreeBSD 7.0, Apache 2.0 with SSL and Trac 10.1.

1) With Camino 1.6 works fine.

2) It doesn't work with Safari 3.1.1

-by Rik.

Confirmed that this patch does not work with Safari (3.1.2), but works fine with Camino. -lid (Jul 31 2008)

Much more simple workaround for firefox (?):

tag.a('Logout', href=req.abs_href.logout().replace("://","://anonymous@")))

Nothing more required.

-till (April 14 2010)

Last modified 7 weeks ago Last modified on Sep 3, 2016, 11:16:12 AM

Attachments (2)

Download all attachments as: .zip