I wanna have a "Logout" from an apache account.
Therefore I have a configuration for my homepage in /etc/apache2/conf.d:
Alias /MyHome /usr/share/MyHome/www/
<Directory /usr/share/MyHome/www/secure>
AllowOverride None
AuthGroupFile /etc/backuppc/htgroup
AuthUserFile /etc/backuppc/htpasswd
AuthType basic
AuthName "BackupPC Admin"
require valid-user
</Directory>
<Directory /usr/share/MyHome/www/logout>
AllowOverride None
AuthGroupFile /etc/myHome/htgroup
AuthUserFile /etc/myHome/htpasswd
AuthType basic
AuthName "BackupPC admin"
require valid-user
</Directory>
I call "http://anonymus:logout@localhost/MyHome/logout" for logout where
anonymus/logout are username/password within the /etc/myHome/htpasswd.
This will work in Firefox, but I get a message like "You are trying to login
on 'localhost' as user 'anonymus'".
How to avoid this message?
Is there another way to realize a "logout"?
Konqueror do accept the syntax but don't log me off. If I return to the
secure directory I don't have to enter username/password again.
Internet Explorer 8 seems not to accept the syntax. IE say "file not found".
Thanks
Matthias
--
Don't Panic
Matthias sent the following transmission through subspace:
> I wanna have a "Logout" from an apache account.
Webservers do not have this funtion at all.
The only way to logout, is by Closing the browser.
If a browser accept a logout,
it's because the browser "forget" it's credentials, on your orders.
There is nothing server side you can do to change this,
short of compiling your own modified webserver.
- --
Solbu - http://www.solbu.net
Remove 'ugyldig.' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFK7ZMjT1rWTfpocyQRAkxnAKCCd07qaozkiet0LX1alLCnVP2VCACeKcDO
QhCla+zd8N7NKbBozKMJNFg=
=+0rx
-----END PGP SIGNATURE-----
>
> Matthias sent the following transmission through subspace:
>
>> I wanna have a "Logout" from an apache account.
>
> Webservers do not have this funtion at all.
> The only way to logout, is by Closing the browser.
>
> If a browser accept a logout,
> it's because the browser "forget" it's credentials, on your orders.
>
Do all Browsers save there "credentials" in a same way (e.g. in a cookie)?
Is it possible to write this logout in javascript?
No, that depends upon how the website requests authentication. Common
ways are:
1. Basic authentication (you get a Username/Password popup from the
browser
2. Cookies
3. A long/random string appended to the URL (not very secure)
There are plenty of other ways.
If you share your computer with others, then you should arrange your own
distinct userid, then your details are somewhat secure, depending upon
which technique was used.
If we're talking about the PC in the local Library then don't *ever*
save your credentials; change your password if you do so by accident.
--
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk
Matthias sent the following transmission through subspace:
>> If a browser accept a logout,
>> it's because the browser "forget" it's credentials, on your orders.
>>
>
> Do all Browsers save there "credentials" in a same way (e.g. in a cookie)?
You don't understand. :-)=
Browsers does Not save the credentials in the login scheme you described.
It remembers it during That browser session only,
so if you close the browser, you have loged out. And only then.
My point earlier was that if a browser accepts a logout Before you close the
browser, it's a non-standard feature implemented in that browser
and nothing you implemented on the server.
This is how http-authentication works.
A browser does not remember anything beyond the current session,
and there are no cookies of any kind involved.
- --
Solbu - http://www.solbu.net
Remove 'ugyldig.' for email
PGP key ID: 0xFA687324
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFK7nTfT1rWTfpocyQRAklfAJ9AXIwK0unEYUCZnIKIRezOb5IsPgCfTt1I
i8uoTEhFA7ZS/T6UFEpMAC4=
=1nvI
-----END PGP SIGNATURE-----
>
> Matthias sent the following transmission through subspace:
>
>>> If a browser accept a logout,
>>> it's because the browser "forget" it's credentials, on your orders.
>>>
>>
>> Do all Browsers save there "credentials" in a same way (e.g. in a
>> cookie)?
>
> You don't understand. :-)=
> Browsers does Not save the credentials in the login scheme you described.
> It remembers it during That browser session only,
> so if you close the browser, you have loged out. And only then.
>
> My point earlier was that if a browser accepts a logout Before you close
> the browser, it's a non-standard feature implemented in that browser
> and nothing you implemented on the server.
>
> This is how http-authentication works.
> A browser does not remember anything beyond the current session,
> and there are no cookies of any kind involved.
>
> - --
> Solbu - http://www.solbu.net
Thanks Solbu. You are right, I didn't understand, but now.
I had found some threads in the web which describes that a logout
from "basic authentication" should be implementable by a login into another
account (e.g. http://anonymus:logout@localhost/something).
As you described, that is not possible :-(
Thanks for your clarification
There is something which comes close to a logout from basic
authentication: a CGI script that unconditionally returns a status of
401 Unauthorized *in the same domain* as was being used. Anything else
that achieves the same result would also work.
I have no idea if this works cross browsers (nor any intent to find
out), but since it tells the browser that "the username/password which
you just sent me is now invalid", it usually has the desired effect.
There's the catch� is "usually works" good enough?
You can tie yourself (and your users browsers) in knots trying to
implement such a scheme.
Te only problem with that solution is that sometimes the browser will ask
the user for a new ID/PW.
I can confirm that having another Basic authentication realm with the
same name that uses different account credentials than the one you are
trying to protect does work. (I.e. the browser caches a different set
of credentials that do not work in the real realm, thus the user is
effectively not-logged in.) I am using this with great success and love
it. (I chuckle to my self every time I read "you can't log out of HT
Password protected areas" because I know that to be false.)
> I call "http://anonymus:logout@localhost/MyHome/logout" for logout
> where anonymus/logout are username/password within the
> /etc/myHome/htpasswd.
I understand what you are trying to do with encoding the username and
password in the URL, but I don't know how standard that is any more.
> This will work in Firefox, but I get a message like "You are trying
> to login on 'localhost' as user 'anonymus'".
Can you duplicate this error on another (non-localhost) web server? I
don't know if it's a syntax problem or the fact localhost is involved.
> How to avoid this message?
Seeing as how I'm using JavaScript rather than encoding my username and
password in the URL, I have not run in to the problem that you are. -
Let me know if you would like some example code to play with / test.
> Is there another way to realize a "logout"?
I think your method of logging in to another realm with bogus
credentials for the main secure realm is sound. That's what I'm doing too.
I (think) I avoid the problem you are running in to as well as solved
(read: worked around) the other main complaint that people have with HT
Password protected realms by using JavaScript. I have created a web
page that is my login form that will take the username and password
supplied in the form and issue an XMLHttpRequest using the supplied
username and password to access something in the secure area. Once the
XMLHttpRequest returns, I simply change the Document.Location to
something (index?) with in the secure area. - I use the same in
reverse to log people out. The only difference in logging in and
logging out is that I use a known bogus username and password for
logging out.
> Konqueror do accept the syntax but don't log me off. If I return to
> the secure directory I don't have to enter username/password again.
>
> Internet Explorer 8 seems not to accept the syntax. IE say "file not
> found".
It seems as if Firefox, Konqueror, and IE 8 are all unhappy with the URL
syntax that you are using.
Grant. . . .
That is incorrect.
It is true that browsers will always cache this information until they
are closed (or beyond if they are set to do so).
However there is nothing preventing you from logging in to a different
realm with the same name there by updating what the browser has cached.
This newly cached information can be invalid for the first realm thus
effectively logging the user out. In other words if they try to go back
to the first realm the cached credentials will be invalid forcing a
prompt for the correct credentials.
Grant. . . .
Yes.
See my earlier post about using the JavaScript XMLHttpRequest object to
log users in and out by pre-caching credentials.
If you need / want an example of functioning code, let me know and I'll
provide some.
Grant. . . .
A major problem that I see with this method (despite the fact that it
might work) is that the user will be prompted for a username and
password indefinitely or until they hit chancel and deal with the
resulting 401 unauthorized error.
Grant. . . .
> Te only problem with that solution is that sometimes the browser will ask
> the user for a new ID/PW.
Yes, it's far from a graceful exit.
Great! Please can you send me your example code?
I've found two additional alternatives:
http://nz2.php.net/features.http-auth
- but it is necessary to manage your own htpasswd database
http://www.berenddeboer.net/rest/authentication.html#permanent-logout
- seems a little bit complicate
br
function doLogout() {
var XHR = getXHR();
XHR.open ('GET', 'http://www.domain.tld/logout/?q=' +
Math.random(), false, 'username', 'password');
XHR.send (null);
XHR = null;
document.location = 'http://www.domain.tld/?q=' + Math.random();
}
I have a link / button somewhere on the page that calls the JavaScript
doLogout() function. The function pre-caches different credentials and
then changes to another location.
This way when the user tries to go back to the protected area they are
re-prompted for their credentials.
Grant. . . .