> Probably (99.5 % ;) the browser uses uses cookies so as to remember > the user session token and determine whether it is logged in or not > ... AFAICR ... in detail ... > > - The user accesses the site ... > - Apache notices that there is no active login and forces the browser > to show the password dialog > - The user provides its credemntials and logs in ... > - Trac opens a new session so as to bind a token to the user > credentials provided before, therefore he/she wont need to reenter > his/her password and the credentials are not exposed ... > - The user access the site and credntial as well as preference are > there all the way through ... this includes authorization ;) > - The user logs out ... and Trac *MUST* invalidate (I mean, make it > expire immediately ...) this session ... > - The next time the user accesses the site, since his session is > expired, we are back at the same point where Apache notices that there > is no active login, or at least ... since my anonymous users have no > rights at all ... it should issue deny access to any resource and at > least say "Ooopsss ... access denied" ... and what happens in my env > is that the user session is magically back again (didnt it expire ? > ...) and I am in once more ... so no logout at all ... and no > anonymous access either ... > > So ... am I missing something ? Shouldnt it be that way ? > > PD: Thnx for your help ... ;) > > -- > Regards, > > Olemis. >
The part your missing is that your browser has your credentials cached, so even when you click logout and trac expires your session, a new session get's created b/c instead of getting a enter your credentials dialog box when you access a new portion of the site, the browser just silently passes your auth credentials back. This is the reason why closing your browser solves this type of setup. Matt P. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
