Paul, Yes I have read this document and understand the problem..
So as a work around for me, without having to break the way sling operates, is create a filter that sits first in the filter chain. It wraps the request and response to catches the basic auth header if set further in the filter chain. If it the basic auth header was set then it creates a http session and adds the auth header value as a session attribute. This results in a sesson cookie being sent to the browser. Next time the browser sends a request the session cookie is sent and the session is looked up. we can then get the auth header value session attribute and add it into our wrapped request as a header. So sling thinks its dealing with a request with basic auth and the browser is dealing with session based requests. Its just an idea at the moment as I can't get the filter to load as yet :( I'd really like to use sling for my project but not being able to log out a user in a standard way across all browsers is a bit of a blocker. I can just imagine trying to explain to people that they need to close the browser to log out. its not going to go down well. and with google chrome and its multiple tabs it seems you have to close all of them as just closing the tab dosnt clear the basic auth. Regards Ben 2009/10/14 Paul McMahon <[email protected]>: > Here's an explanation of why you can't do a basic auth logout: > > http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq > > The only way I have ever seen it implemented is JavaScript that closes the > user's browser - which of course generates a security warning and may not > work. > > I have seen various ideas floated where you tie the realm you set during the > initial authentication to a session ID and then invalidate the session ID on > logout so that even though the browser keeps sending the basic auth header on > the server side you check the realm against the session ID and force > reauthentication because the session ID isn't valid. I have never seen anyone > implement that successfully - it has all sorts of issues I could see. > > Paul McMahon > > --- On Tue, 10/13/09, Ben Short <[email protected]> wrote: > > From: Ben Short <[email protected]> > Subject: Logout > To: [email protected] > Date: Tuesday, October 13, 2009, 2:20 PM > > Hi, > > I need to add a link that allows users to logout of my website. After > trawling the web I haven't found a way to logout a user while using > http basic authentication. > > This seems like a bit of a killer for me. Can anyone suggest how I > might proceed? > > Regards > > Ben Short > > > >
