On Fri, Jan 23, 2009 at 11:04 AM, Flatfender <flatfen...@gmail.com> wrote: > On Fri, Jan 23, 2009 at 10:54 AM, Olemis Lang <ole...@gmail.com> wrote: >> On Fri, Jan 23, 2009 at 9:54 AM, Flatfender <flatfen...@gmail.com> wrote: >> >> ... yes ... only form based auth ... but logout links are provided by >> Trac itself, disregarding the auth provider/handler involved ... so >> these links should clear cookies, session data, ... and so on, so that >> the next time the user visits the site, this data is not valid anymore >> ... and this is not Apache or tracd responsibility IMHO since sessions >> are managed by Trac itself ... CMIIW ... pls >> >> Otherwise ... how could I config Apache so as to allow users to logout ? >> > > Your talking about two things here Authentication and Authorization. > Authentication say who you are, Authorization say what your allowed to > do. Trac delegates Authentication to the web server and as I said > before the browser caches that. Trac does not use cookies for > Authentication, it uses cookies for Authorization so it can save who > you are, so you can then be validated against the permission system. >
Probably (99.5 % ;) the browser uses uses cookies so as to remember the user session token and determine whether it is logged in or not ... AFAICR ... in detail ... - The user accesses the site ... - Apache notices that there is no active login and forces the browser to show the password dialog - The user provides its credemntials and logs in ... - Trac opens a new session so as to bind a token to the user credentials provided before, therefore he/she wont need to reenter his/her password and the credentials are not exposed ... - The user access the site and credntial as well as preference are there all the way through ... this includes authorization ;) - The user logs out ... and Trac *MUST* invalidate (I mean, make it expire immediately ...) this session ... - The next time the user accesses the site, since his session is expired, we are back at the same point where Apache notices that there is no active login, or at least ... since my anonymous users have no rights at all ... it should issue deny access to any resource and at least say "Ooopsss ... access denied" ... and what happens in my env is that the user session is magically back again (didnt it expire ? ...) and I am in once more ... so no logout at all ... and no anonymous access either ... So ... am I missing something ? Shouldnt it be that way ? PD: Thnx for your help ... ;) -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: Mirando la web de una forma distinta con Google Visualization API --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
