Anyone seen issues when "Logout" doesn't log you out?
1,186 views
Skip to first unread message
Furosh One
Jul 28, 2010, 7:21:29 PM7/28/10
to Repo and Gerrit Discussion
I'm not sure if this is a bug or just something related to our config/setup with the reverse-proxy settings and Apache passwd file for authentication.
Anything I can check or test?
Do you think this is a HTTPD error and not a gerrit issue? The access_log shows I click on logout but then gets login/mine without requiring username/password again. It just keeps my session open.
10.3.2.102 - - [28/Jul/2010:16:06:25 -0700] "GET /logout HTTP/1.1" 302 - "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Fire
fox/3.6.8 ( .NET CLR 3.5.30729)"
10.3.2.102 - - [28/Jul/2010:16:06:25 -0700] "GET / HTTP/1.1" 200 365 "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/
3.6.8 ( .NET CLR 3.5.30729)"
10.3.2.102 - gmarquez [28/Jul/2010:16:06:26 -0700] "GET /login/mine HTTP/1.1" 302 - "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20
100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)"
-FuRoSh...
Anything I can check or test?
Do you think this is a HTTPD error and not a gerrit issue? The access_log shows I click on logout but then gets login/mine without requiring username/password again. It just keeps my session open.
10.3.2.102 - - [28/Jul/2010:16:06:25 -0700] "GET /logout HTTP/1.1" 302 - "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Fire
fox/3.6.8 ( .NET CLR 3.5.30729)"
10.3.2.102 - - [28/Jul/2010:16:06:25 -0700] "GET / HTTP/1.1" 200 365 "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/
3.6.8 ( .NET CLR 3.5.30729)"
10.3.2.102 - gmarquez [28/Jul/2010:16:06:26 -0700] "GET /login/mine HTTP/1.1" 302 - "http://ala-serv1.wrs.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20
100722 Firefox/3.6.8 ( .NET CLR 3.5.30729)"
-FuRoSh...
Shawn Pearce
Jul 28, 2010, 7:29:21 PM7/28/10
to Furosh One, Repo and Gerrit Discussion
On Wed, Jul 28, 2010 at 16:21, Furosh One <fur...@gmail.com> wrote:
> I'm not sure if this is a bug or just something related to our config/setup
> with the reverse-proxy settings and Apache passwd file for authentication.
> I'm not sure if this is a bug or just something related to our config/setup
> with the reverse-proxy settings and Apache passwd file for authentication.
Yea, its the Apache setup. Logout with HTTP authentication doesn't
actually kill the username/password from the browser. Which means its
still available on the next request, Apache re-authenticates you, and
you get logged right back in. :-(
David Eason
May 19, 2015, 5:20:27 PM5/19/15
to repo-d...@googlegroups.com
I have the same problem: logouts don't log me out.
I'm using Apache to authenticate because I have users logging in from more than one LDAP URL, and I understand Gerrit can't do this natively. My dual-authentication is working fine through Apache. However, when I use that, then Gerrit's "logout" option simply redirects users back to the login page.
I've read about two work-arounds:
(1) set a logout alias so it submits bad credentials, thus affecting a de-facto logout. This doesn't work for me. See the logoutUrl setting below.
(2) create a javascript and send the logout request to that javascript. The javascript submits bad credentials. I'd like to try this, but don't know where to put the javascript so that Gerrit's logout option can reach it.
My configs are as shown below.
Thanks in advance for any help provided.
======== aaa_ldap.conf =========
# specify multiple LDAP providers. Eanble this with AuthBasicProvider directive, followed by each alias below
<AuthnProviderAlias ldap ldap-BIGCOMPANY>
AuthLDAPURL ldap://abcLdap01:3268/DC=corp,DC=BIGCOMPANY,DC=com?sAMAccountName
AuthLDAPBindDN cmldap
AuthLDAPBindPassword PASSWORD
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-MEDIUMCOMPANY>
AuthLDAPURL ldap://90.91.92.10:3268/DC=MEDIUMCOMPANY,DC=SMALLCOMPANY,DC=com?sAMAccountName
AuthLDAPBindDN cmldap
AuthLDAPBindPassword PASSWORD
</AuthnProviderAlias>
=========== gerrit.conf =========
Listen 80
<VirtualHost *:80>
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /login/>
AuthType Basic
Order deny,allow
Allow from All
AuthName "Gerrit Code Review"
# Specify two LDAPs, so any user from either domain can login
AuthBasicProvider ldap-BIGCOMPANY ldap-MEDIUMCOMPANY
AuthzLDAPAuthoritative on
Require valid-user
</Location>
ErrorLog /var/log/httpd/gerrit-error.log
CustomLog /var/log/httpd/gerrit-access.log combined
AllowEncodedSlashes On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
============= gerrit.config ==========
[gerrit]
basePath = /d01/gerrit/repos
canonicalWebUrl = http://hourdcm4.SMALLCOMPANY.com
changeScreen = CHANGE_SCREEN2
[database]
type = mysql
hostname = localhost
database = reviewdb
username = gerrit2
[index]
type = LUCENE
[auth]
type = HTTP
[sendemail]
smtpServer = whsmtp.corp.BIGCOMPANY.com
[container]
user = svnsomeadmin
javaHome = /usr/java/jdk1.7.0_45/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8080/
[cache]
directory = cache
Simfu
May 20, 2015, 3:01:57 AM5/20/15
to repo-d...@googlegroups.com
I wonder if you can use a rewrite rule to redirect to the correct place?
RewriteEngine on
RewriteRule ^/logout$ https://accounts.wrs.com/logout [R]
Doug Kelly
May 20, 2015, 8:26:45 AM5/20/15
to repo-d...@googlegroups.com
Wow! Talk about an old thread. As Shawn wrote back in 2010, yes. This is a behavior inherent to HTTP Basic authentication. You are correct, there are some ways that you can convince the browser to forget the credentials, but none are really that great. The simplest -- forcing invalid credentials -- is indeed one such method. Similarly, you can send an HTTP 401/Unuthorized response back from the application, which would force the browser to dump credentials as well. I believe Internet Explorer also had some non-standard/undocumented method to achieve the same result, and Outlook Web Access took advantage of that.
Problems with sending any invalid credentials back to the application, though, is that some systems may lock an account with too many failed attempts. Sending an Unauthorized response would be difficult, since it requires specifying the same realm as what the container is specifying. And of course, non-standard is well, non-standard.
Things to consider... I know I've had some users complain about this in the past, so a durable solution might be nice, but remember this is only one of the many authentication backends Gerrit supports. Telling the users to close their browser to really log out isn't so bad. :)
Doug
Justin Georgeson
May 20, 2015, 11:17:12 AM5/20/15
to repo-d...@googlegroups.com
Telling the users to close their browser to really log out isn't so bad. :)
David and I work together. I'm actually seeing the login persist across browser restarts (IE11 and Chrome 42). I have to manually delete the cookie to logout. I asked about multiple LDAP support back in January and Luca indicated an experimental implementation had been developed but parked [1], and two major releases have come out since then. So I've submitted an issue to the Google Code project site [2]
Reply all
Reply to author
Forward
0 new messages