Logout in Tornado doesn't work
384 views
Skip to first unread message
Irene Bontà
Apr 24, 2013, 7:38:20 AM4/24/13
to python-...@googlegroups.com
I wrote the login and logout handlers in Tornado, using for the login the Google external service.
The handlers are the following:
###############################################################################
# Manage login requests using Google authentication
###############################################################################
class AuthLoginHandler(BaseHandler, tornado.auth.GoogleMixin):
@tornado.web.asynchronous
def get(self):
if self.get_argument("openid.mode", None):
self.get_authenticated_user(self.async_callback(self._on_auth))
return
self.authenticate_redirect()
# Authentication-OK callback.
# Save user info on the first connection.
# Only save a last-login timestamp otherwise.
def _on_auth(self, user):
if not user:
raise tornado.web.HTTPError(500, "Google auth failed")
str_time = datetime.datetime.now().isoformat()
usr = self.db.get("SELECT * FROM users WHERE email=%s", user["email"])
if not usr:
# Create user entry in the WSN-database
self.lock_tables("write", ['users'])
usr_id = self.db.execute("INSERT INTO users (email, name, last_access) \
VALUES (%s,%s,%s)",
user["email"], user["name"], str_time)
self.unlock_tables()
else:
self.lock_tables("write", ['users'])
usr_id = usr["id"]
self.db.execute("UPDATE users SET last_access=%s WHERE id=%s",
str_time, usr_id)
self.unlock_tables()
self.set_secure_cookie("user", str(usr_id))
self.info("Hello <b>" + user["name"] + "</b>!")
self.redirect(self.get_argument("next", "/"))
# Do not log Login info
def _log(self):
pass
################################################################################
# Logout handler. Simply clear the "user" cookie and redirect to homepage.
################################################################################
class AuthLogoutHandler(BaseHandler, tornado.auth.GoogleMixin):
def get(self):
self.clear_cookie("user")
self.notice("You have successfully logged out")
self.redirect("/")I would that, when a user is logged out, clicking on the back button of the browser he was not logged in. In other words I would that the back button doesn't work... instead, if I logged out the user, if he click the back button he can navigate in the web pages like he was always logged in..
Any suggestions? Thank you.
Aleksey Silk
Apr 24, 2013, 7:42:14 AM4/24/13
to python-...@googlegroups.com
Show your handlers ...
And how do you navigate to logout?
С уважением, Алексей Силк
With best regards, Aleksey Silk
skype - rootiks
2013/4/24 Irene Bontà <irene...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Irene Bontà
Apr 24, 2013, 8:22:16 AM4/24/13
to python-...@googlegroups.com
I have this part of code:
{% if current_user %}
<ul class="nav pull-right">
<li class="divider-vertical"></li>
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><i class="icon-user icon-white"></i> {{current_user.name}} <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/auth/logout?next={{ url_escape(request.uri) }}">Sign out</a></li>
</ul>
</li>
</ul>
<br/>
{% else %}
<button class="btn btn-inverse">
{{ _('<a href="%(url)s">Sign in</a>') % {"url": "/auth/login?next=" + url_escape(request.uri)} }}
</button>
{% end %}
aliane abdelouahab
Apr 24, 2013, 4:22:13 PM4/24/13
to Tornado Web Server
logout is just the process of deleting the cookies, just test it with
your browser, F12 (on chrome) to inspect element, go to Ressources,
then to Element, then go to Cookies, just delete them, it's what
tornado will do, delete the cookie that have the permission!
here is my logout:
class LogoutHandler(tornado.web.RequestHandler):
@tornado.web.authenticated
def get(self):
self.clear_cookie("mechtari")
self.redirect("/")
where 'mechtari' is the name of that cookie.
the url spec:
(r"/logout", handlers.LogoutHandler),
and the HTML:
you just call /logout
<div class="header">
<a href="logout">Deconnexion</a>
</div>
and it is the same for loggin out from google:
class gLogoutHandler(AdminHandler):
def get(self):
self.clear_cookie("alien")
self.write('You are now logged out. Click <a href="/galien/
login">here</a> to log back in.')
> > ale...@silk.bz <javascript:>
> > skype - rootiks
>
> > 2013/4/24 Irene Bontà <irene...@gmail.com <javascript:>>
> >> ########################################################################### ###### Logout handler. Simply clear the "user" cookie and redirect to homepage.################################################################## ##############class AuthLogoutHandler(BaseHandler, tornado.auth.GoogleMixin):
> >> For more options, visithttps://groups.google.com/groups/opt_out.
your browser, F12 (on chrome) to inspect element, go to Ressources,
then to Element, then go to Cookies, just delete them, it's what
tornado will do, delete the cookie that have the permission!
here is my logout:
class LogoutHandler(tornado.web.RequestHandler):
@tornado.web.authenticated
def get(self):
self.clear_cookie("mechtari")
self.redirect("/")
where 'mechtari' is the name of that cookie.
the url spec:
(r"/logout", handlers.LogoutHandler),
and the HTML:
you just call /logout
<div class="header">
<a href="logout">Deconnexion</a>
</div>
and it is the same for loggin out from google:
class gLogoutHandler(AdminHandler):
def get(self):
self.clear_cookie("alien")
self.write('You are now logged out. Click <a href="/galien/
login">here</a> to log back in.')
> > skype - rootiks
>
> > 2013/4/24 Irene Bontà <irene...@gmail.com <javascript:>>
>
> >> I wrote the login and logout handlers in Tornado, using for the login the
> >> Google external service.
>
> >> The handlers are the following:
>
> >> ########################################################################### ##### Manage login requests using Google authentication############################################################# ##################class AuthLoginHandler(BaseHandler, tornado.auth.GoogleMixin):
> >> I wrote the login and logout handlers in Tornado, using for the login the
> >> Google external service.
>
> >> The handlers are the following:
>
> >> def get(self):
> >> self.clear_cookie("user")
> >> self.notice("You have successfully logged out")
> >> self.redirect("/")
>
> >> I would that, when a user is logged out, clicking on the back button of
> >> the browser he was not logged in. In other words I would that the back
> >> button doesn't work... instead, if I logged out the user, if he click the
> >> back button he can navigate in the web pages like he was always logged in..
>
> >> Any suggestions? Thank you.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Tornado Web Server" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> email to python-tornad...@googlegroups.com <javascript:>.
> >> self.clear_cookie("user")
> >> self.notice("You have successfully logged out")
> >> self.redirect("/")
>
> >> I would that, when a user is logged out, clicking on the back button of
> >> the browser he was not logged in. In other words I would that the back
> >> button doesn't work... instead, if I logged out the user, if he click the
> >> back button he can navigate in the web pages like he was always logged in..
>
> >> Any suggestions? Thank you.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Tornado Web Server" group.
> >> To unsubscribe from this group and stop receiving emails from it, send an
> >> For more options, visithttps://groups.google.com/groups/opt_out.
Ben Darnell
Apr 24, 2013, 9:19:00 PM4/24/13
to Tornado Mailing List
On Wed, Apr 24, 2013 at 7:38 AM, Irene Bontà <irene...@gmail.com> wrote:
I wrote the login and logout handlers in Tornado, using for the login the Google external service.
The problem is that openid and oauth providers often remember authorization status on their own site even after you've deleted the cookies from your side. It's usually possible to pass an extra parameter on the authentication redirect to force the user to log in again, but unfortunately there doesn't seem to be a common standard across the auth providers (on twitter it's force_login=true; it's not obvious from a quick look at google's docs what to use there). I'm not sure if tornado.auth allows you to pass additional parameters at the right place; if not patches are of course welcome once you've identified the right place.
-Ben
--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
Aleksey Silk
Apr 25, 2013, 12:56:50 AM4/25/13
to python-...@googlegroups.com
I think problem in handlers. As I can see there is one /auth/ handler but two AuthLoginHandler and AuthLogoutHandler.
Irene Bontà
Apr 29, 2013, 6:28:37 AM4/29/13
to python-...@googlegroups.com, b...@bendarnell.com
So you think it's a problem of openid and oauth? My cookie is deleted correctly!! Also when I click on the back button, the cookie no longer exists. But I can see the pages like I'm logged in....
Aleksey Silk
Apr 29, 2013, 6:50:14 AM4/29/13
to python-...@googlegroups.com
I think this is a browser history problem. It gives ou cached result. You need to delete cache or set auth parametr on in tornado.
С уважением, Алексей Силк
With best regards, Aleksey Silk
skype - rootiks
2013/4/29 Irene Bontà <irene...@gmail.com>
Reply all
Reply to author
Forward
0 new messages