> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Olemis Lang
> Sent: Friday, January 23, 2009 11:28 AM
> To: [email protected]
> Subject: [Trac] Re: Can not logout when using trac-0.10.5-22.el5 on
> rhel 5
>
>
> On Fri, Jan 23, 2009 at 1:55 PM, Noah Kantrowitz <[email protected]>
> wrote:
> > On Jan 23, 2009, at 10:49 AM, Flatfender wrote:
> >>
> >> The part your missing is that your browser has your credentials
> >> cached, so even when you click logout and trac expires your session,
> a
> >> new session get's created b/c instead of getting a enter your
>
> What follows is perhaps a little OT, but anyway ...
>
> When I talk about credentials I mean user + password (perhaps there is
> a different word to refer to this ... but anyway) ... AFAIK this is
> never kept by browsers (talking about Trac ;), but tokens issued by
> Trac itself ... this comment is just to ensure we are using a common
> vocabulary
Incorrect, HTTP auth credentials are kept by the browser for the duration of
the session. This a "feature" of all modern browsers and cannot (as far as I
know) be disabled.
>
> IMHO (... CMIIW ...) even if the browser keeps this token in memory or
> creates a new token, if it is invalidated by Trac (server-side ;) then
> ... is it still possible that user session come back to life ? I think
> that expired user tokens should be handled as anonymous or at least
> warn the user about
>
> Now I am not really sure (dont remember ...) how REMOTE_USER envvar is
> set by Apache ... perhaps the issue is related to this sec mechanism.
>
> I have deployed other apps in dedicated web servers and I had not seen
> this kind of issues so far.
>
> >
> > More specifically the part you are missing is that these credentials
> > aren't stored in a cookie or anything similar, they are just kept in
> > memory in the browser.
>
> you mean ... user + passw ?
>
> > There is nothing in the HTTP authentication
> > standard that allows the web site to request these be clearer.
> > Clicking logout will clear the cookies, but since it can't clear
> these
> > credentials you will be logged right back in.
>
> ufffff ... well ... If this is the case (user + passw) ... then you'
> re absolutely right ...
>
> > Solution: use
> > AccountManager's form-based logins since they are no subject to the
> > wiles of HTTP auth.
> >
>
> Well ... I am looking forward to deploy Trac using CoSign ... in this
> case I could use CoSign auth form
Never heard of it, but check trac-hacks.
--Noah
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---
