Can't logout when using auth for whole site

[robin-trac@…]

I've set up a trac install and require authentication for the whole site.

I'm using trac with apache2 + mod_python.

My config is as follows:

    # Re-direct from / to /trac
    RewriteEngine On
    RewriteRule ^/+$ /trac [R]

    Alias /trac/ /usr/share/trac/htdocs/
    <Directory "/usr/share/trac/htdocs">
        Order allow,deny
        Allow from all
    </Directory>

    <Location /trac>
        SetHandler mod_python
       PythonHandler trac.web.modpython_frontend
        PythonOption TracEnvParentDir "/var/www/trac/"
        PythonOption TracUriRoot /trac
    </Location>

    <Location />
        AuthType Basic
        AuthName "Projects"
        AuthUserFile /etc/httpd/conf.d/auth/htpasswd
        Require valid-user
    </Location>

This works OK, i.e. users must login to get access to any part of the site.

However, the "logout" link doesn't work.

I'd like for users to be able to logout. This should revoke their browser authentication and force them to login again.

[Christian Boos]

(please, don't forget to use block quotes when inserting configuration data or stack traces)

[Emmanuel Blot]

This incident seems to be a duplicate of #791, with the additional issue of setting authentication on the root location (whole site, instead of ../login).

[markus]

This is a problem due to Trac's dependence on the authentication mechanisms of the underlying web server. This means that your web browser has to send the authentication information with every request, making it almost impossible to logout.

However, if you just want to be able to switch from one user to another (without closing your browser), you could do something like this (quick'n'dirty & provided "AS IS" with no warranties ;-)):

trac/web/auth.py

@@ -130 +130 @@
             # Not logged in
             return
 
+        db = self.env.get_db_cnx()
+        cursor = db.cursor()
+        cursor.execute("SELECT cookie FROM auth_cookie "
+                       "WHERE name=%s", (req.authname,))
+        row = cursor.fetchone() or []
+
+        if row != []:
+            req.send_response(401)
+            req.end_headers()
+        else:
+            req.redirect(self.env.href('/login'))
+
         # While deleting this cookie we also take the opportunity to delete
         # cookies older than 10 days
-        db = self.env.get_db_cnx()
-        cursor = db.cursor()
         cursor.execute("DELETE FROM auth_cookie WHERE name=%s OR time < %s",
                        (req.authname, int(time.time()) - 86400 * 10))
         db.commit()

The patch above changes auth.py so that it sends a 401 - Unauthorized when hitting the logout button. This results in deleting the user credentials stored by your web browser.

[mala]

I have exactly the same problem. I therefore tried the modifications described by markus. But It didn't have any effects at all. Could I have been dont anything wrong? I changed the file and compiled again, restarted Apache and … nothing.

[Matthew Good]

As stated before by eblot, this ticket is a duplicate of #791.