Re: [dl-ticket-service] Logout requires login
On 03/25/2015 01:41 PM, Carsten Czerner wrote: Hi, thanks for your replay, I understand the problem. But, coundn't we use a Ajax request to update and display the Logout success and call the the admin.php afterwards? This will inform the user to close the tab or to reload ist pressing STRG + R? If I understand correctly we could just show another regular page (with some logout text), and *then* perform the logout (maybe just with a meta-refresh on the correct url). This should work, but you will still get the prompt afterwards. Well.. I guess it's a step forward?
Re: [dl-ticket-service] Logout requires login
Hi, thanks for your replay, I understand the problem. But, coundn't we use a Ajax request to update and display the Logout success and call the the admin.php afterwards? This will inform the user to close the tab or to reload ist pressing STRG + R? Regards Carsten Am 24.03.2015 um 12:57 schrieb Yuri D'Elia: On 03/24/2015 11:24 AM, Carsten Czerner wrote: Hi, I have a strange behavior with the Logout function. When I try to logout, the server asks me to re login, that alwayes failes. When I cancel the Authentication Dialog the correct message was displayed Please close the window The other functions like New Ticket or Active grants work correctly! Why is there a authentification dialog when I try to logout? It's a known issue. At least, I couldn't make it work better than this, so if anybody else has some experience, please read on. This happens when you have HTTP authentication active. In this situation, /admin.php is protected by the web server itself, which sends a WWW-Authenticate header. The browser caches the credentials for /admin.php and uses them for each request. To perform a *true* logout, I actually have to make the browser *fail* authentication at least once in order to make it forget the credentials. I cannot redirect it outside /admin.php, since this would prevent the credentials to be forgotten entirely. If I didn't do that, you could just browse again to admin and you would still be logged in as the previous user. This ends up in this weird logout limbo, where you *need* authentication, but I keep telling the browser it's wrong. As you saw, if you cancel, you can actually see the content of the page - which is *already* sent to the browser, but it's never displayed. I also have this issue, since I'm also using HTTP authentication everywhere. I could add an extra redirect *after* the authentication failed, but you would still see a prompt at least once. Confusing. Maybe there's a trick we could use to stop the prompt to appear will still removing the credentials from *some* recent browsers? -- Mit freundlichen Grüßen Dipl. Inform. (FH) Carsten Czerner Medien- und Informationszentrum (MIZ) Leuphana Universität Lüneburg Scharnhorststraße 1, C7.217 21335 Lüneburg Fon 04131.677-1241 Fax 04131.677-1246 smime.p7s Description: S/MIME Cryptographic Signature
Re: [dl-ticket-service] Logout requires login
Am 25.03.2015 um 14:41 schrieb Yuri D'Elia: On 03/25/2015 01:41 PM, Carsten Czerner wrote: Hi, thanks for your replay, I understand the problem. But, coundn't we use a Ajax request to update and display the Logout success and call the the admin.php afterwards? This will inform the user to close the tab or to reload ist pressing STRG + R? If I understand correctly we could just show another regular page (with some logout text), and *then* perform the logout (maybe just with a meta-refresh on the correct url). This should work, but you will still get the prompt afterwards. Well.. I guess it's a step forward? Yes, that would help me and the normal user. I hope they will ignore the login promt if the underlaying page told them to close the tab! Thanks Carsten smime.p7s Description: S/MIME Cryptographic Signature
[dl-ticket-service] Logout requires login
Hi, I have a strange behavior with the Logout function. When I try to logout, the server asks me to re login, that alwayes failes. When I cancel the Authentication Dialog the correct message was displayed Please close the window The other functions like New Ticket or Active grants work correctly! Why is there a authentification dialog when I try to logout? The user will be authentificated against an AD vie Ldaps, works fine for the first login. I started the Appache with debug logging, but the debug logs are equal for the action Logout and Preferences. Apache Access LOG: -Preferences filelink.leuphana.de:80 193.174.32.73 - carsten [24/Mar/2015:09:58:35 +0100] GET /admin.php?token=b170d0e9db7154a7e8e4daf30f09ec60a=prefs HTTP/1.1 *200* 1445 http://filelink.leuphana.de/admin.php?token =b170d0e9db7154a7e8e4daf30f09ec60a=glist Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 -Logout filelink.leuphana.de:80 193.174.32.73 - carsten [24/Mar/2015:09:58:37 +0100] GET /admin.php?u HTTP/1.1 *401* 1372 http://filelink.leuphana.de/admin.php?token=b170d0e9db7154a7e8e4daf30f09ec60a=prefs; M ozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 TCPDUMP: GET /admin.php?u HTTP/1.1 Host: filelink.leuphana.de User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Iceweasel/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://filelink.leuphana.de/admin.php Cookie: _ga=GA1.2.560792455.1413527448; lang=EN; sid=5v94repq6iauvg1p216fqmfr21 Authorization: Basic SDFsdsdf3sdfsdfsdfsdf= Connection: keep-alive Eb@.@.o...fU.. I.PV .Ui.%t..HTTP/1.0 401 Unauthorized Date: Tue, 24 Mar 2015 08:41:59 GMT Server: Apache/2.4.10 (Debian) Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache WWW-Authenticate: Basic realm=Restricted Area Set-Cookie: sid=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Content-Length: 968 Connection: close Content-Type: text/html; charset=UTF-8 !DOCTYPE html html head meta http-equiv=Content-Type content=text/html; charset=UTF-8 titleAbmelden.../title script type=text/javascript src=static/jquery.js/script script type=text/javascript src=static/dl.js/script link rel=stylesheet type=text/css href=style/default/static/view.css/ script type=text/javascript src=style/default/static/view.js/script /head body div id=navbar-inner div id=container h1 MySHARE / FileLink /h1 /div /div div id=navbar-gardine /div br div id=form_container div class=appnitro div class=form_description h2Abmelden.../h2 /div label class=description emSchlieszlig;en sie das Browser-Fenster/em, um den Logout-Vorgang abzuschlieszlig;en/label /div div id=banner/div /div /body /html Regrads Carsten smime.p7s Description: S/MIME Cryptographic Signature
Re: [dl-ticket-service] Logout requires login
On 03/24/2015 11:24 AM, Carsten Czerner wrote: Hi, I have a strange behavior with the Logout function. When I try to logout, the server asks me to re login, that alwayes failes. When I cancel the Authentication Dialog the correct message was displayed Please close the window The other functions like New Ticket or Active grants work correctly! Why is there a authentification dialog when I try to logout? It's a known issue. At least, I couldn't make it work better than this, so if anybody else has some experience, please read on. This happens when you have HTTP authentication active. In this situation, /admin.php is protected by the web server itself, which sends a WWW-Authenticate header. The browser caches the credentials for /admin.php and uses them for each request. To perform a *true* logout, I actually have to make the browser *fail* authentication at least once in order to make it forget the credentials. I cannot redirect it outside /admin.php, since this would prevent the credentials to be forgotten entirely. If I didn't do that, you could just browse again to admin and you would still be logged in as the previous user. This ends up in this weird logout limbo, where you *need* authentication, but I keep telling the browser it's wrong. As you saw, if you cancel, you can actually see the content of the page - which is *already* sent to the browser, but it's never displayed. I also have this issue, since I'm also using HTTP authentication everywhere. I could add an extra redirect *after* the authentication failed, but you would still see a prompt at least once. Confusing. Maybe there's a trick we could use to stop the prompt to appear will still removing the credentials from *some* recent browsers?
