Version 7 (modified by sgorilla, 10 years ago) (diff)


True logout mechanism for Basic/Digest Authentication


This patch allows to logout from Basic/Digest Auth without closing the browser.

On one hand Apache claims that it is not possible.

On other hand, Nano Documet give a solution that works with most recent browsers.

This patch works for tracd standalone. There's no need of Apache or any other server.

I am lazy tonight, so i give you only the file changes.
This patch should work on all platform, although I've only tested version 0.9.6 on Windows XP. I have tested successfully Firefox 1.5 and Internet Explorer 6


  • first remove buggy AuthFormPlugin. ;-)
    (security flaw: any user can login to another account without password)
  • file Share\trac\htdocs\js\trac.js, append at the end of file:
    function clearAuthenticationCache(page) {
      // Default to a non-existing page (give error 500).
      // An empty page is better, here.
      if (!page) page = '.force_logout';
        var agt=navigator.userAgent.toLowerCase();
        if (agt.indexOf("msie") != -1) {
          // IE clear HTTP Authentication
        else {
          // Let's create an xmlhttp object
          var xmlhttp = createXMLObject();
          // Let's prepare invalid credentials
"GET", page, true, "logout", "logout");
          // Let's send the request to the server
          // Let's abort the request
      } catch(e) {
        // There was an error
    function createXMLObject() {
      try {
        if (window.XMLHttpRequest) {
          xmlhttp = new XMLHttpRequest();
        // code for IE
        else if (window.ActiveXObject) {
          xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
      } catch (e) {
      return xmlhttp;
  • file Lib\site-packages\trac\web\, locate method get_navigation_items, and change:
    yield ('metanav', 'logout',
           Markup('<a href="%s">Logout</a>' 
                  % escape(self.env.href.logout())))
    yield ('metanav', 'logout',
           Markup('<a href="%s" onclick="clearAuthenticationCache(\'%s\');">Logout</a>' 
                  % ((escape(self.env.href.logout()),) *2) ))
  • Now that's ok to start tracd and test logout feature.


Thanks a ton! this works like a charm.

Has this been filed as a ticket, so it can be possibly included in future releases? bill.mill@…

Ticket #3577 ask to include this in future releases.
-- Florent

Recent Changes

1138 by flox on 2006-08-17 20:34:59
New hack TrueHttpLogoutPatch, created by flox


Author: flox

Here is the patch for 0.10 - by sgorilla

             yield ('metanav', 'logout', 
                    html.A('Logout', href=req.href.logout(), 
                           onclick="clearAuthenticationCache(\'%s\')" % req.href.logout()))

Attachments (2)

Download all attachments as: .zip