Basic Authentication Logout
We recently switched from form based authentication to basic authentication for some custom code we have written. We've noticed that the log out functionality does not log the user out. Instead it returns them to the current page of the project site as if nothing happened. Our understanding is that the web browser must be closed to log out the sessions. My question is how do you log out from a session without closing the browser?
Thanks in advance, Derry |
Accepted answer
Invalidating the session won't help much with Basic auth because the browser will continue sending the Authorization header and you'll just get a new session id, which the user won't even notice. The user will not appear to be logged out.
HTTP Basic auth has actually no concept of logout because it's a stateless protocol (sends credentials for every request). It's a very old protocol, and browsers will simply continue sending the credentials automatically as long as the browser is open. I've heard that there are some hacks that can somewhat emulate a logout experience, but I don't know if or how well they work. There might be a way to get browsers to throw the credentials away without reopening the browser, but I don't know of it, and it will probably be different for different browsers. I tried clearing my active logins in FF but it didn't do anything. If you switched because it would be easier for your programmatic clients to access the data, there are at least a couple alternatives to switching entirely to Basic auth.. 1) You can still authenticate programmatic clients using JEE form-based auth, it just requires a little more effort. You have to watch for 302 redirects to an HTML page containing the standard login form field IDs (I think it's j_user_id and j_password?). You also have to maintain the JSESSIONID cookie so that it knows who you are for subsequent requests. 2) You could implement a custom authentication solution to handle both form-based AND basic auth. It would require some work to implement this and you'd likely need to insert a proxy in front of the server. I've seen this working in practice. derry davis selected this answer as the correct answer
|
6 other answers
We recently switched from form based authentication to basic authentication for some custom code we have written. We've noticed that the log out functionality does not log the user out. Instead it returns them to the current page of the project site as if nothing happened. Our understanding is that the web browser must be closed to log out the sessions. My question is how do you log out from a session without closing the browser? Hi Derry, In order to log out you can try to destroy the HTTP session from whatever HTTP client you are using. Which one are you using (apache, etc.)? Boris |
Geoffrey Clemm (30.1k●3●30●35)
| answered Nov 16 '11, 12:38 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
There are two questions here ...
(1) how would a programmatic client (e.g., using OSLC, the internal RTC HTTP API, or the Java API) perform a logout. It sounds like the answer to that is to destroy the HTTP session that this programmatic client created. (Is there Java API for this?) (2) When you switch your RTC server to use basic authentication, why doesn't clicking the "logout" button actually log you out. This would just be a bug, and we'd want to get a work item submitted with the details (version of RTC, which web browser you were using). Cheers, Geoff On 11/16/2011 11:08 AM, kuschel wrote: derrydaviswrote: |
http://download.oracle.com/javaee/1.4/api/javax/servlet/http/HttpSession.html#invalidate()
or <session> should work no ? Boris ? |
Hi Boris, This is not so much a programmatic issue as a client-side functional issue. The logout link in the web client doesn't do anything. This happens with IE8. And, just confirmed, FireFox. |
|
Geoffrey Clemm (30.1k●3●30●35)
| answered Nov 18 '11, 7:38 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
For client-side functional issues, in general, we'd want to start a
thread in the jazz.users forum. But in this case, it sounds like it is just a bug in the web UI, so I've submitted defect 185588. There still is question 2, i.e. "how do a programatically release a license". That would be a question for this forum (:-). Cheers, Geoff On 11/17/2011 2:53 PM, derrydavis wrote: kuschelwrote: |
I am using .NET code to interact with RAM and using basic authentication and REST API (REST service) that RAM provides.
To log out of the session, I make a GET request to http://ramserver:port/logout.faces and it works fine for me. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.