Opened 19 years ago
Closed 19 years ago
#2350 closed defect (duplicate)
Can't logout when using auth for whole site
Reported by: | Owned by: | Jonas Borgström | |
---|---|---|---|
Priority: | high | Milestone: | |
Component: | general | Version: | 0.9 |
Severity: | normal | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
I've set up a trac install and require authentication for the whole site.
I'm using trac with apache2 + mod_python.
My config is as follows:
# Re-direct from / to /trac RewriteEngine On RewriteRule ^/+$ /trac [R] Alias /trac/ /usr/share/trac/htdocs/ <Directory "/usr/share/trac/htdocs"> Order allow,deny Allow from all </Directory> <Location /trac> SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonOption TracEnvParentDir "/var/www/trac/" PythonOption TracUriRoot /trac </Location> <Location /> AuthType Basic AuthName "Projects" AuthUserFile /etc/httpd/conf.d/auth/htpasswd Require valid-user </Location>
This works OK, i.e. users must login to get access to any part of the site.
However, the "logout" link doesn't work.
I'd like for users to be able to logout. This should revoke their browser authentication and force them to login again.
Attachments (0)
Change History (5)
comment:1 by , 19 years ago
Description: | modified (diff) |
---|
comment:2 by , 19 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
This incident seems to be a duplicate of #791, with the additional issue of setting authentication on the root location (whole site, instead of ../login).
comment:3 by , 19 years ago
This is a problem due to Trac's dependence on the authentication mechanisms of the underlying web server. This means that your web browser has to send the authentication information with every request, making it almost impossible to logout.
However, if you just want to be able to switch from one user to another (without closing your browser), you could do something like this (quick'n'dirty & provided "AS IS" with no warranties ;-)):
-
trac/web/auth.py
130 130 # Not logged in 131 131 return 132 132 133 db = self.env.get_db_cnx() 134 cursor = db.cursor() 135 cursor.execute("SELECT cookie FROM auth_cookie " 136 "WHERE name=%s", (req.authname,)) 137 row = cursor.fetchone() or [] 138 139 if row != []: 140 req.send_response(401) 141 req.end_headers() 142 else: 143 req.redirect(self.env.href('/login')) 144 133 145 # While deleting this cookie we also take the opportunity to delete 134 146 # cookies older than 10 days 135 db = self.env.get_db_cnx()136 cursor = db.cursor()137 147 cursor.execute("DELETE FROM auth_cookie WHERE name=%s OR time < %s", 138 148 (req.authname, int(time.time()) - 86400 * 10)) 139 149 db.commit()
The patch above changes auth.py so that it sends a 401 - Unauthorized when hitting the logout button. This results in deleting the user credentials stored by your web browser.
comment:4 by , 19 years ago
Resolution: | duplicate |
---|---|
Status: | closed → reopened |
I have exactly the same problem. I therefore tried the modifications described by markus. But It didn't have any effects at all. Could I have been dont anything wrong? I changed the file and compiled again, restarted Apache and … nothing.
comment:5 by , 19 years ago
Resolution: | → duplicate |
---|---|
Status: | reopened → closed |
As stated before by eblot, this ticket is a duplicate of #791.
(please, don't forget to use block quotes when inserting configuration data or stack traces)