Re: Logout of gerrit

1,560 views
Skip to first unread message

Shawn Pearce

unread,
Feb 21, 2011, 1:02:56 PM2/21/11
to Vivek, Repo and Gerrit Discussion
On Mon, Feb 21, 2011 at 04:16, Vivek <subraman...@gmail.com> wrote:
> I have managed to get gerrit up and working, but I have a problem with
> the logout. I am using basic HTTP for authentication and when I click
> on signout it doesn't really sign me out. I have to close the browser
> window or clear the cookie to actually get logged out.

HTTP Basic authentication has no concept of "sign-out". Once the
credentials are cached by the browser, it will continue to issue those
to the server until the browser is closed. This is one (of many)
reasons why most sites on the Internet these days use HTML forms and
do not use the basic authentication support built into browsers.

> Is there any way I can write a page that I place in say the $site_path/
> static folder which i can point to using the SSO URL and then clear
> out the cookie that Gerrit places on my system?

No. Gerrit will erase its own cookie with the /logout URL (which
happens when there is a sign-out link in the top right corner of the
page). But this doesn't really help when the browser still has your
username and password in place and can re-authenticate to get a new
cookie setup as soon as the old cookie was destroyed. :-(

You might be able to setup the SSO URL to redirect to a URL on the web
server that denies all authentication attempts, but requires
authentication with the same HTTP Basic realm name. This should kick
the browser to throw away its cached username/password pair. But its
ugly because the user gets presented with a username/password dialog
and is asked to authenticate again, probably in an infinite loop.

Vivek

unread,
Feb 21, 2011, 7:16:57 AM2/21/11
to Repo and Gerrit Discussion
Hi,

I have managed to get gerrit up and working, but I have a problem with
the logout. I am using basic HTTP for authentication and when I click
on signout it doesn't really sign me out. I have to close the browser
window or clear the cookie to actually get logged out.

Xianghua Xiao

unread,
Feb 22, 2011, 8:53:58 AM2/22/11
to Shawn Pearce, Vivek, Repo and Gerrit Discussion
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>

indeed if gerrit supports its own built-in
register-need-approval/login/logout scheme that will be very useful.

Reply all
Reply to author
Forward
0 new messages