Version 15 (modified by gt4329b, 9 years ago) (diff)


True logout mechanism for Basic/Digest Authentication


This patch allows to logout from Basic/Digest Auth without closing the browser.

On one hand Apache claims that it is not possible.

On other hand, Nano Documet give a solution that works with most recent browsers.

This patch works for tracd standalone. There's no need of Apache or any other server.

I am lazy tonight, so i give you only the file changes.
This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP. I have tested successfully Firefox 1.5 and Internet Explorer 6

Amazing! Tested successfully Firefox/ (Linux) and Trac

But not with konqueror :-(


  • file Share\trac\htdocs\js\trac.js, append at the end of file:
    function clearAuthenticationCache(page) {
      // Default to a non-existing page (give error 500).
      // An empty page is better, here.
      if (!page) page = '.force_logout';
        var agt=navigator.userAgent.toLowerCase();
        if (agt.indexOf("msie") != -1) {
          // IE clear HTTP Authentication
        else {
          // Let's create an xmlhttp object
          var xmlhttp = createXMLObject();
          // Let's prepare invalid credentials
"GET", page, true, "logout", "logout");
          // Let's send the request to the server
          // Let's abort the request
      } catch(e) {
        // There was an error
    function createXMLObject() {
      try {
        if (window.XMLHttpRequest) {
          xmlhttp = new XMLHttpRequest();
        // code for IE
        else if (window.ActiveXObject) {
          xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      } catch (e) {
      return xmlhttp;
  • file Lib\site-packages\trac\web\, locate method get_navigation_items, and change:
    yield ('metanav', 'logout',
           Markup('<a href="%s">Logout</a>' 
                  % escape(self.env.href.logout())))
    yield ('metanav', 'logout',
           Markup('<a href="%s" onclick="clearAuthenticationCache(\'%s\');">Logout</a>' 
                  % ((escape(self.env.href.logout()),) *2) ))
  • Now that's ok to start tracd and test logout feature.

(Patches for other versions below)


Thanks a ton! this works like a charm.

Has this been filed as a ticket, so it can be possibly included in future releases? bill.mill@…

Ticket #3577 ask to include this in future releases.
-- Florent

Recent Changes

1138 by flox on 2006-08-17 22:34:59
New hack TrueHttpLogoutPatch, created by flox


Author: flox

Here is the patch for 0.10 - by sgorilla

             yield ('metanav', 'logout', 
                    html.A('Logout', href=req.href.logout(), 
                           onclick="clearAuthenticationCache(\'%s\')" % req.href.logout()))

And here's the patch for 0.11 - by gt4329b:

            yield ('metanav', 'logout',
                    tag.a('Logout', href=req.href.logout(),
                         onclick="clearAuthenticationCache(\'%s\')" % req.href.logout() ))

You guys rock! I had created a 4 step script for people, but this actually does what logout is supposed to do :) For 0.8.4, rather than changing, you change the template file header.cs, by replacing this:

    <li><a href="<?cs var:trac.href.logout ?>">Logout</a>

with this

    <li><a href="<?cs var:trac.href.logout ?>"
    onclick="clearAuthenticationCache('<?cs var:trac.href.logout ?>')">Logout</a>
  • by kriggs

Any way to have this work with AuthRequiredPlugin so that a logout doesn't immediately result in an auth dialog? (Yes, I realize this is the correct behavior with this patch and the plugin, just wanted to know if there's a simple workaround!)

Not sure what you're asking here. This patch is designed to provide true http logout for those using the http auth mechanism. The AuthRequiredPlugin is designed to work with the AccountManagerPlugin which provides form based login and already provides true logout. To accomplish the same net effect as the AuthRequiredPlugin with http auth, you merely need to move the auth information to the root of the trac environment as opposed to /login. Thus, I would recommend adjusting web server configuration and dropping the AuthRequiredPlugin or use the forms based login from AccountManagerPlugin --BladeHawke

Attachments (2)

Download all attachments as: .zip