Re: [dl-ticket-service] Logout problems

2018-05-18 Thread Yuri D'Elia
On Fri, May 18 2018, Carsten Schulze wrote:
> I tested it with Chrome, Firefox and Edge, all the newest versions on
> different OS. When I close the "Logout Tab" and open a new Tab I'm
> logged in again without any credentials given!

Do you accept the authentication prompt during logout?




Re: [dl-ticket-service] Logout problems

2018-05-18 Thread Carsten Schulze



Am 18.05.2018 um 12:17 schrieb Yuri D'Elia:

On Fri, May 18 2018, Carsten Schulze wrote:

When I press the Logout link, I get a windows with a new
Authentification Request. Now I cancel that and get the following
message.

Logged-out

Close the browser to complete the logout. Ok, most people think they
could close the current browser tab, but they really have to close the
whole browser and reopen it again. That is not logical and no one
understands why.

Is there another way to destroy the login cache?

This only happens with http authentication.

Now, with most modern browsers (FF, Chrome for sure), you don't need to
close the browser.
I tested it with Chrome, Firefox and Edge, all the newest versions on 
different OS. When I close the "Logout Tab" and open a new Tab I'm 
logged in again without any credentials given!



To invalidate the cache we have to feed the browser a
request which we deny. This results in the auth prompt that you see.

I was thinking of hiding it by performing a background request, and
according to my tests it still does invalidate the cache correctly, but
I didn't have time to implement it yet.

As far as I know, there's no other way to invalidate the auth cache. I'd
be happy to know if there is a better method.

On IE <= 7 though, the cache is never invalidated. You really *need* to
close the browser to logout.









Re: [dl-ticket-service] Logout problems

2018-05-18 Thread Yuri D'Elia
On Fri, May 18 2018, Carsten Schulze wrote:
> When I press the Logout link, I get a windows with a new
> Authentification Request. Now I cancel that and get the following
> message.
>
> Logged-out
>
> Close the browser to complete the logout. Ok, most people think they
> could close the current browser tab, but they really have to close the
> whole browser and reopen it again. That is not logical and no one
> understands why.
>
> Is there another way to destroy the login cache?

This only happens with http authentication.

Now, with most modern browsers (FF, Chrome for sure), you don't need to
close the browser. To invalidate the cache we have to feed the browser a
request which we deny. This results in the auth prompt that you see.

I was thinking of hiding it by performing a background request, and
according to my tests it still does invalidate the cache correctly, but
I didn't have time to implement it yet.

As far as I know, there's no other way to invalidate the auth cache. I'd
be happy to know if there is a better method.

On IE <= 7 though, the cache is never invalidated. You really *need* to
close the browser to logout.