It's all about the answers!

Ask a question

Basic Authentication Logout


derry davis (23221916) | asked Nov 16 '11, 10:24 a.m.
We recently switched from form based authentication to basic authentication for some custom code we have written. We've noticed that the log out functionality does not log the user out. Instead it returns them to the current page of the project site as if nothing happened. Our understanding is that the web browser must be closed to log out the sessions. My question is how do you log out from a session without closing the browser?
Thanks in advance,
Derry

Accepted answer


permanent link
Curtis d'Entremont (1.3k3) | answered Jun 28 '12, 2:05 p.m.
FORUM MODERATOR / JAZZ DEVELOPER
Invalidating the session won't help much with Basic auth because the browser will continue sending the Authorization header and you'll just get a new session id, which the user won't even notice. The user will not appear to be logged out.

HTTP Basic auth has actually no concept of logout because it's a stateless protocol (sends credentials for every request). It's a very old protocol, and browsers will simply continue sending the credentials automatically as long as the browser is open. I've heard that there are some hacks that can somewhat emulate a logout experience, but I don't know if or how well they work.

There might be a way to get browsers to throw the credentials away without reopening the browser, but I don't know of it, and it will probably be different for different browsers. I tried clearing my active logins in FF but it didn't do anything.

If you switched because it would be easier for your programmatic clients to access the data, there are at least a couple alternatives to switching entirely to Basic auth..

1) You can still authenticate programmatic clients using JEE form-based auth, it just requires a little more effort. You have to watch for 302 redirects to an HTML page containing the standard login form field IDs (I think it's j_user_id and j_password?). You also have to maintain the JSESSIONID cookie so that it knows who you are for subsequent requests.

2) You could implement a custom authentication solution to handle both form-based AND basic auth. It would require some work to implement this and you'd likely need to insert a proxy in front of the server. I've seen this working in practice.

derry davis selected this answer as the correct answer

6 other answers



permanent link
Kangkan Goswami (1571621) | answered Jun 27 '12, 4:43 a.m.
I am using .NET code to interact with RAM and using basic authentication and REST API (REST service) that RAM provides.

To log out of the session, I make a GET request to http://ramserver:port/logout.faces and it works fine for me.

permanent link
Geoffrey Clemm (30.1k33035) | answered Nov 18 '11, 7:38 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
For client-side functional issues, in general, we'd want to start a
thread in the jazz.users forum. But in this case, it sounds like it is
just a bug in the web UI, so I've submitted defect 185588.

There still is question 2, i.e. "how do a programatically release a
license". That would be a question for this forum (:-).

Cheers,
Geoff

On 11/17/2011 2:53 PM, derrydavis wrote:
kuschelwrote:

Hi Derry,

In order to log out you can try to destroy the HTTP session from
whatever HTTP client you are using. Which one are you using (apache,
etc.)?

Boris

Hi Boris,
This is not so much a programmatic issue as a client-side functional
issue. The logout link in the web client doesn't do anything. This
happens with IE8. And, just confirmed, FireFox.

permanent link
derry davis (23221916) | answered Nov 17 '11, 2:42 p.m.

Hi Derry,

In order to log out you can try to destroy the HTTP session from whatever HTTP client you are using. Which one are you using (apache, etc.)?

Boris


Hi Boris,
This is not so much a programmatic issue as a client-side functional issue. The logout link in the web client doesn't do anything. This happens with IE8. And, just confirmed, FireFox.

permanent link
Christophe Elek (2.9k13021) | answered Nov 16 '11, 12:41 p.m.
JAZZ DEVELOPER
http://download.oracle.com/javaee/1.4/api/javax/servlet/http/HttpSession.html#invalidate()
or
<session>

should work no ? Boris ?

permanent link
Geoffrey Clemm (30.1k33035) | answered Nov 16 '11, 12:38 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
There are two questions here ...

(1) how would a programmatic client (e.g., using OSLC, the internal RTC
HTTP API, or the Java API) perform a logout. It sounds like the answer
to that is to destroy the HTTP session that this programmatic client
created. (Is there Java API for this?)

(2) When you switch your RTC server to use basic authentication, why
doesn't clicking the "logout" button actually log you out. This would
just be a bug, and we'd want to get a work item submitted with the
details (version of RTC, which web browser you were using).

Cheers,
Geoff

On 11/16/2011 11:08 AM, kuschel wrote:
derrydaviswrote:
We recently switched from form based authentication to basic
authentication for some custom code we have written. We've noticed
that the log out functionality does not log the user out. Instead it
returns them to the current page of the project site as if nothing
happened. Our understanding is that the web browser must be closed to
log out the sessions. My question is how do you log out from a session
without closing the browser?
Thanks in advance,
Derry

Hi Derry,

In order to log out you can try to destroy the HTTP session from
whatever HTTP client you are using. Which one are you using (apache,
etc.)?

Boris

permanent link
Boris Kuschel (331113) | answered Nov 16 '11, 11:06 a.m.
JAZZ DEVELOPER
We recently switched from form based authentication to basic authentication for some custom code we have written. We've noticed that the log out functionality does not log the user out. Instead it returns them to the current page of the project site as if nothing happened. Our understanding is that the web browser must be closed to log out the sessions. My question is how do you log out from a session without closing the browser?
Thanks in advance,
Derry


Hi Derry,

In order to log out you can try to destroy the HTTP session from whatever HTTP client you are using. Which one are you using (apache, etc.)?

Boris

Your answer


Register or to post your answer.