On Jan 23, 2009, at 10:49 AM, Flatfender wrote:
> >> Probably (99.5 % ;) the browser uses uses cookies so as to remember >> the user session token and determine whether it is logged in or not >> ... AFAICR ... in detail ... >> >> - The user accesses the site ... >> - Apache notices that there is no active login and forces the browser >> to show the password dialog >> - The user provides its credemntials and logs in ... >> - Trac opens a new session so as to bind a token to the user >> credentials provided before, therefore he/she wont need to reenter >> his/her password and the credentials are not exposed ... >> - The user access the site and credntial as well as preference are >> there all the way through ... this includes authorization ;) >> - The user logs out ... and Trac *MUST* invalidate (I mean, make it >> expire immediately ...) this session ... >> - The next time the user accesses the site, since his session is >> expired, we are back at the same point where Apache notices that >> there >> is no active login, or at least ... since my anonymous users have no >> rights at all ... it should issue deny access to any resource and at >> least say "Ooopsss ... access denied" ... and what happens in my env >> is that the user session is magically back again (didnt it expire ? >> ...) and I am in once more ... so no logout at all ... and no >> anonymous access either ... >> >> So ... am I missing something ? Shouldnt it be that way ? >> >> PD: Thnx for your help ... ;) >> >> -- >> Regards, >> >> Olemis. >> > > The part your missing is that your browser has your credentials > cached, so even when you click logout and trac expires your session, a > new session get's created b/c instead of getting a enter your > credentials dialog box when you access a new portion of the site, the > browser just silently passes your auth credentials back. This is the > reason why closing your browser solves this type of setup. More specifically the part you are missing is that these credentials aren't stored in a cookie or anything similar, they are just kept in memory in the browser. There is nothing in the HTTP authentication standard that allows the web site to request these be clearer. Clicking logout will clear the cookies, but since it can't clear these credentials you will be logged right back in. Solution: use AccountManager's form-based logins since they are no subject to the wiles of HTTP auth. --Noah --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
