Ticket #10 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

Can't logout when logged into the admin panel

Reported by: kees.burger@… Owned by: support@…
Priority: minor Milestone: Testing
Component: testing Version:
Keywords: Cc:

Description

When I am logged into the admin panel, there is no way to log out. With the admin login still active, visiting a trac and clicking on the login button will log me in as the admin session user.

Workaround to actually log out from the admin session and login as a different user:
- click the logout button in the trac
- clear the browser active sessions and cookies cache
- login again with the desired useraccount

Change History

Changed 4 years ago by support@…

  • owner set to support@…
  • status changed from new to assigned

Not being able to log out is a property of the HTTP Basic Authentication (HBA) that is used for the system. This was chosen because it will allow us to use a single authentication database for all instances of Trac, the subversion repositories, the admin application, and any possible extensions that may be added later.

What happens is that browsers cache the authentication data, and so only a browser restart should result in a logout (caveat: some browser extensions, such as the Web Developer addon for Firefox, will actually let you discard HBA data). Any requests done to the domain after authentication will result in the browser sending an 'Authorization' request header with the encoded authentication data, and the user stays logged in. As a result, clicking 'log in' in Trac may result in the user being logged in without being prompted for a password.

Proposed solution: according to the HTTP specifications, HBA data are cached per authentication realm. We could assign unique realms to all instances of Trac, the user administration, and any other applications. This should result in the user having to authenticate separately for all these environments. The obvious downside is that the user will have to authenticate separately for all these environments.

NB: caching HBA data should not be confused with the storing of passwords in the browser. Browsers will cache HBA data even if a browser is configured not to store passwords.

Changed 4 years ago by support@…

All projects and the administrative interface now use separate realms for authentication. This has the behaviour in Firefox 3.5 and Google Chrome 5. Please verify that this separates authentication per project in other browsers.

NB: note that browsers will still cache the login per project.

Changed 3 years ago by support@…

  • status changed from assigned to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.