[Sessions/Log-out] Problems with deleting/expiring a session.
Piotr X
I have recently started to fool around with Cherrypy. While I could
solve many a problem with the documentation or post in the internet,
it seems that I can not crack this nut: It seems that whatever I do, I
can not perform a log out operation.
-- The login procedur is arrange by
cherrypy.lib.auth_digest.get_ha1_dict_plain(userlogins_dictionary):
root.user = MainPageSecure(current_dir)
digest_auth = {'tools.auth_digest.on': True,
'tools.auth_digest.realm': 'test',
'tools.auth_digest.get_ha1': get_ha1,
'tools.auth_digest.key': 'a565c27146791cfb'}
'/user': digest_auth
-- Then, I use cherrypy.request.login to generate some user specific
data.
-- For the logout procedure, I provide MainPageSecure with a logout
link that bound to a log_out method:
def log_out(self):
"""Terminates the session. Note that method is exposed. """
print "\n -- terminating session for user:
"+str(cherrypy.request.login)+".\n"
print "Should kill session now.."
cherrypy.lib.sessions.expire()
After starting the logout method , however, 'print cherrypy.session'
shows that the session is still there. Each time I activate
MainPageSecure by hitting the /users URL the program shows me the user
specfic page. Instead of giving a new chance to provide login
information, the program simpy operates with the session that was
activated once. Setting 'cherrypy.request.login = False' does not
help either.
Any ideas or enlightments? I am not a complete novice to python, but I
am no truly trainned programmer either. As such it can very well be
that I have misunderstood the one or other concept here..
Thanks for Your time --
Regards,
Piotr
Eric Larson
On Saturday, August 27, 2011 at 7:36 AM, Piotr X wrote:
> Hello all,
>
> I have recently started to fool around with Cherrypy. While I could solve many a problem with the documentation or post in the internet, it seems that I can not crack this nut: It seems that whatever I do, I can not perform a log out operation.
>
> My system: Win7-64bit, Cherrypy 3.2, Python 2.7(64-bit).
>
> -- The login procedure is arranged by cherrypy.lib.auth_digest.get_ha1_dict_plain(), and a userdictionary is used to check for the user password check.
>
> root.user = MainPageSecure(current_dir)
>
> digest_auth = {'tools.auth_digest.on': True,
> 'tools.auth_digest.realm': 'test',
> 'tools.auth_digest.get_ha1': get_ha1,
> 'tools.auth_digest.key': 'a565c27146791cfb'}
>
> '/user': digest_auth
>
> -- Then, I use cherrypy.request.login to generate some user specific
> data.
>
> -- For the logout procedure, I provide MainPageSecure with a logout
> link that bound to a log_out method:
>
> def log_out(self):
> """Terminates the session. Note that method is exposed. """
> print "\n -- terminating session for user: "+str(cherrypy.request.login)+".\n"
> print "Should kill session now.."
> cherrypy.lib.sessions.expire()
> # Ay. The session is not dead yet!
>
In HTTP authentication (like Digest or Basic) the client will authenticate and then continue to send an Authorization header with each request that your app then uses to verify the person is authorized to access the resource. I'm not sure you can then "logout" b/c the client will continue to send the correct header.
What you could do is clear the session and return a 401 (Unauthorized) response. That might make the browser think it needs to ask the user again.
I might be wrong about the specifics here, but hopefully this helps looking for a way to debug things.
HTH,
--
Eric Larson
> After starting the logout method , however, 'print cherrypy.session' shows that the session is still there. Each time I activate MainPageSecure by hitting the /users URL the program shows me the user specfic page. Instead of giving a new chance to provide login information, the program simpy operates with the session that was activated once. Setting cherrypy.request.login = False' does not help either.
>
> Any ideas or enlightments? I am not a complete novice to python, but I am no truly trainned programmer either. As such it can very well be that I have misunderstood the one or other concept here..
>
> Thanks for Your time --
>
> Regards,
>
> Piotr
> --
> You received this message because you are subscribed to the Google Groups "cherrypy-users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/cherrypy-users/-/KVXV72jCYvAJ.
> To post to this group, send email to cherryp...@googlegroups.com (mailto:cherryp...@googlegroups.com).
> To unsubscribe from this group, send email to cherrypy-user...@googlegroups.com (mailto:cherrypy-user...@googlegroups.com).
> For more options, visit this group at http://groups.google.com/group/cherrypy-users?hl=en.
Eugene Van den Bulke
I am not an expert but I don't think digest_auth and sessions are related.
A digest_auth expires by itself when the time has come i.e. when it is stale.
CP default is 600 seconds and as far as I can tell from reading the
source there is no way to force the tool to expire a specific user.
If you need a logout you will have to choose another type of
authentication (session based).
Cheers,
--
EuGeNe -- follow me http://twitter.com/3kwa
Piotr X
thank You very much for the response. I will look into either a)
abandoning the log-out option or b) use a sesson based authorization.
Again, thanks for Your help :)
Cheers,
Piotr