Logout

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Logout

Ben Short-4
Hi,

I need to add a link that allows users to logout of my website. After
trawling the web I haven't found a way to logout a user while using
http basic authentication.

This seems like a bit of a killer for me. Can anyone suggest how I
might proceed?

Regards

Ben Short

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Alexander Klimetschek
On Tue, Oct 13, 2009 at 22:20, Ben Short <[hidden email]> wrote:
> I need to add a link that allows users to logout of my website. After
> trawling the web I haven't found a way to logout a user while using
> http basic authentication.
>
> This seems like a bit of a killer for me. Can anyone suggest how I
> might proceed?

You can send an XHR request with invalid credentials (using
?sling:authRequestLogin=1). Note that this works on Firefox and IE
only. See also http://markmail.org/thread/dmsgle7quu3nrwnn

Regards,
Alex

--
Alexander Klimetschek
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
What is the value in the basic auth header and how does it relate to
the user? and where are the user details stored?


2009/10/13 Alexander Klimetschek <[hidden email]>:

> On Tue, Oct 13, 2009 at 22:20, Ben Short <[hidden email]> wrote:
>> I need to add a link that allows users to logout of my website. After
>> trawling the web I haven't found a way to logout a user while using
>> http basic authentication.
>>
>> This seems like a bit of a killer for me. Can anyone suggest how I
>> might proceed?
>
> You can send an XHR request with invalid credentials (using
> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> [hidden email]
>

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
I just googled, should of done before asking my last question, and see
that the value in the basic auth header is the the user name and
password Base64 encoded.

2009/10/14 Ben Short <[hidden email]>:

> What is the value in the basic auth header and how does it relate to
> the user? and where are the user details stored?
>
>
> 2009/10/13 Alexander Klimetschek <[hidden email]>:
>> On Tue, Oct 13, 2009 at 22:20, Ben Short <[hidden email]> wrote:
>>> I need to add a link that allows users to logout of my website. After
>>> trawling the web I haven't found a way to logout a user while using
>>> http basic authentication.
>>>
>>> This seems like a bit of a killer for me. Can anyone suggest how I
>>> might proceed?
>>
>> You can send an XHR request with invalid credentials (using
>> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
>> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>>
>> Regards,
>> Alex
>>
>> --
>> Alexander Klimetschek
>> [hidden email]
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
I'm wondering about the following as a not so elegant solution to the
logout 'issue'

Create a filter that will be the first filter in the filter chain if
would do something like as follows..

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
                HttpSession httpSession = ((HttpServletRequest)request).getSession(false);

                String basicAuth = null;

                if ( httpSession != null ) {
                        basicAuth = (String)httpSession.getAttribute("basicAuth");
                }

                if ( basicAuth != null ) {
                        // wrap the request so that when the basic auth header is requested
the basicAuth is returned.
                        // wrap the response so that is te basic auth header is set its not
set on the encapsulated
                        // responce but we can get it in this filter.
                        chain.doFilter(wrapRequest(request, basicAuth), wrapResponce(response));
               
                        basicAuth = ((OurHttpServletResponse)response).getHeader("authorization ");

                        if ( basicAuth != null ) {
                                httpSession = ((HttpServletRequest)request).getSession(true);
                                httpSession.setAttribute("basicAuth", basicAuth);
                        }
                } else {
                        chain.doFilter(request, response);
                }
        }

This would ensure that a http session stuck around and could be
invalidated and therefore logging out the user.

Any thoughts?

Regards

Ben


2009/10/14 Ben Short <[hidden email]>:

> I just googled, should of done before asking my last question, and see
> that the value in the basic auth header is the the user name and
> password Base64 encoded.
>
> 2009/10/14 Ben Short <[hidden email]>:
>> What is the value in the basic auth header and how does it relate to
>> the user? and where are the user details stored?
>>
>>
>> 2009/10/13 Alexander Klimetschek <[hidden email]>:
>>> On Tue, Oct 13, 2009 at 22:20, Ben Short <[hidden email]> wrote:
>>>> I need to add a link that allows users to logout of my website. After
>>>> trawling the web I haven't found a way to logout a user while using
>>>> http basic authentication.
>>>>
>>>> This seems like a bit of a killer for me. Can anyone suggest how I
>>>> might proceed?
>>>
>>> You can send an XHR request with invalid credentials (using
>>> ?sling:authRequestLogin=1). Note that this works on Firefox and IE
>>> only. See also http://markmail.org/thread/dmsgle7quu3nrwnn
>>>
>>> Regards,
>>> Alex
>>>
>>> --
>>> Alexander Klimetschek
>>> [hidden email]
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Paul McMahon-2
In reply to this post by Ben Short-4
Here's an explanation of why you can't do a basic auth logout:

http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq

The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.

I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.

Paul McMahon

--- On Tue, 10/13/09, Ben Short <[hidden email]> wrote:

From: Ben Short <[hidden email]>
Subject: Logout
To: [hidden email]
Date: Tuesday, October 13, 2009, 2:20 PM

Hi,

I need to add a link that allows users to logout of my website. After
trawling the web I haven't found a way to logout a user while using
http basic authentication.

This seems like a bit of a killer for me. Can anyone suggest how I
might proceed?

Regards

Ben Short



     
Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
Paul,

Yes I have read this document and understand the problem..

So as a work around for me, without having to break the way sling
operates, is create a filter that sits first in the filter chain. It
wraps the request and response to catches the basic auth header if set
further in the filter chain. If it the basic auth header was set then
it creates a http session and adds the auth header value as a session
attribute. This results in a sesson cookie being sent to the browser.

Next time the browser sends a request the session cookie is sent and
the session is looked up. we can then get the auth header value
session attribute and add it into our wrapped request as a header.

So sling thinks its dealing with a request with basic auth and the
browser is dealing with session based requests.

Its just an idea at the moment as I can't get the filter to load as yet :(

I'd really like to use sling for my project but not being able to log
out a user in a standard way across all browsers is a bit of a
blocker. I can just imagine trying to explain to people that they need
to close the browser to log out. its not going to go down well. and
with google chrome and its multiple tabs it seems you have to close
all of them as just closing the tab dosnt clear the basic auth.

Regards

Ben

2009/10/14 Paul McMahon <[hidden email]>:

> Here's an explanation of why you can't do a basic auth logout:
>
> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>
> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>
> I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.
>
> Paul McMahon
>
> --- On Tue, 10/13/09, Ben Short <[hidden email]> wrote:
>
> From: Ben Short <[hidden email]>
> Subject: Logout
> To: [hidden email]
> Date: Tuesday, October 13, 2009, 2:20 PM
>
> Hi,
>
> I need to add a link that allows users to logout of my website. After
> trawling the web I haven't found a way to logout a user while using
> http basic authentication.
>
> This seems like a bit of a killer for me. Can anyone suggest how I
> might proceed?
>
> Regards
>
> Ben Short
>
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
Well I gave it ago but the ServletRequest gets cast to a
SlingHttpServletRequestImpl further in the chain and this class is not
available to my filter when the bundle is deployed.

Scuppered at every turn :S

2009/10/14 Ben Short <[hidden email]>:

> Paul,
>
> Yes I have read this document and understand the problem..
>
> So as a work around for me, without having to break the way sling
> operates, is create a filter that sits first in the filter chain. It
> wraps the request and response to catches the basic auth header if set
> further in the filter chain. If it the basic auth header was set then
> it creates a http session and adds the auth header value as a session
> attribute. This results in a sesson cookie being sent to the browser.
>
> Next time the browser sends a request the session cookie is sent and
> the session is looked up. we can then get the auth header value
> session attribute and add it into our wrapped request as a header.
>
> So sling thinks its dealing with a request with basic auth and the
> browser is dealing with session based requests.
>
> Its just an idea at the moment as I can't get the filter to load as yet :(
>
> I'd really like to use sling for my project but not being able to log
> out a user in a standard way across all browsers is a bit of a
> blocker. I can just imagine trying to explain to people that they need
> to close the browser to log out. its not going to go down well. and
> with google chrome and its multiple tabs it seems you have to close
> all of them as just closing the tab dosnt clear the basic auth.
>
> Regards
>
> Ben
>
> 2009/10/14 Paul McMahon <[hidden email]>:
>> Here's an explanation of why you can't do a basic auth logout:
>>
>> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>>
>> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>>
>> I have seen various ideas floated where you tie the realm you set during the initial authentication to a session ID and then invalidate the session ID on logout so that even though the browser keeps sending the basic auth header on the server side you check the realm against the session ID and force reauthentication because the session ID isn't valid. I have never seen anyone implement that successfully - it has all sorts of issues I could see.
>>
>> Paul McMahon
>>
>> --- On Tue, 10/13/09, Ben Short <[hidden email]> wrote:
>>
>> From: Ben Short <[hidden email]>
>> Subject: Logout
>> To: [hidden email]
>> Date: Tuesday, October 13, 2009, 2:20 PM
>>
>> Hi,
>>
>> I need to add a link that allows users to logout of my website. After
>> trawling the web I haven't found a way to logout a user while using
>> http basic authentication.
>>
>> This seems like a bit of a killer for me. Can anyone suggest how I
>> might proceed?
>>
>> Regards
>>
>> Ben Short
>>
>>
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Alexander Klimetschek
In reply to this post by Paul McMahon-2
On Wed, Oct 14, 2009 at 19:04, Paul McMahon <[hidden email]> wrote:
> Here's an explanation of why you can't do a basic auth logout:
>
> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>
> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.

As I noted, you can with some tricks, using XHR (ajax). Although my
first answer was a bit wrong. Here is how you do it. For IE, you can
manually clear the cache with a javascript function, although that
removes all credentials currently cached IIRC. For Firefox, you simply
force a login in sling with the anonymous user:

if (document.all) {
    // Internet Explorer: 'ClearAuthenticationCache' is only available in IE
    document.execCommand('ClearAuthenticationCache');

} else {
    var xmlhttp;
    if (window.XMLHttpRequest) {
        xmlhttp = new XMLHttpRequest();
    } else if (window.ActiveXObject) {
        try {
            xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
        } catch (ex) {
            try {
                xmlhttp = new ActiveXObject('Microsoft.XMLHTTP');
            } catch (ex) {}
        }
    }
    if (xmlhttp.readyState < 4) {
        xmlhttp.abort();
    }
    // Firefox/Mozilla: use anonymous "login" to trigger a "logout"
    xmlhttp.open('GET', '/?sling:authRequestLogin=1', false,
'anonymous', 'null');
    xmlhttp.send('');
}

For Safari, Chrome and Opera you have to use the Authorization cookie,
as noted before.

Regards,
Alex

--
Alexander Klimetschek
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Logout

Ben Short-4
Hi,

Thanks for all this information.

It would be very handy for me and probably others if a good working
example was put together showing how this all works.

Regards

Ben Short



2009/10/15 Alexander Klimetschek <[hidden email]>:

> On Wed, Oct 14, 2009 at 19:04, Paul McMahon <[hidden email]> wrote:
>> Here's an explanation of why you can't do a basic auth logout:
>>
>> http://httpd.apache.org/docs/1.3/howto/auth.html#basicfaq
>>
>> The only way I have ever seen it implemented is JavaScript that closes the user's browser - which of course generates a security warning and may not work.
>
> As I noted, you can with some tricks, using XHR (ajax). Although my
> first answer was a bit wrong. Here is how you do it. For IE, you can
> manually clear the cache with a javascript function, although that
> removes all credentials currently cached IIRC. For Firefox, you simply
> force a login in sling with the anonymous user:
>
> if (document.all) {
>    // Internet Explorer: 'ClearAuthenticationCache' is only available in IE
>    document.execCommand('ClearAuthenticationCache');
>
> } else {
>    var xmlhttp;
>    if (window.XMLHttpRequest) {
>        xmlhttp = new XMLHttpRequest();
>    } else if (window.ActiveXObject) {
>        try {
>            xmlhttp = new ActiveXObject('Msxml2.XMLHTTP');
>        } catch (ex) {
>            try {
>                xmlhttp = new ActiveXObject('Microsoft.XMLHTTP');
>            } catch (ex) {}
>        }
>    }
>    if (xmlhttp.readyState < 4) {
>        xmlhttp.abort();
>    }
>    // Firefox/Mozilla: use anonymous "login" to trigger a "logout"
>    xmlhttp.open('GET', '/?sling:authRequestLogin=1', false,
> 'anonymous', 'null');
>    xmlhttp.send('');
> }
>
> For Safari, Chrome and Opera you have to use the Authorization cookie,
> as noted before.
>
> Regards,
> Alex
>
> --
> Alexander Klimetschek
> [hidden email]
>