Changes between Initial Version and Version 1 of Ticket #423


Ignore:
Timestamp:
22.03.2013 04:48:56 (11 years ago)
Author:
jri
Comment:

I've further isolated the issue. It's not related to the DM Karaf distro at all.

The issue is related to the browser's own login dialog. Its appearance in turn is related to the dm4.security.read_requires_login DM config property. (The DM Karaf distro sets it true by default. In contrast, the DM standard distro sets it false by default.)

This is a known HTTP problem. HTTP provides no logout semantics. The browser caches the information entered in the browser's own login dialog and re-sends it with every request. There is no way to clear that cache besides quitting the browser.

A while ago I read about a possible workaround: as far as I remember it involves an AJAX request to be sent after the logout request, and enforcing a 401 (by sending dummy credentials in the Authorization header). The workaround is based on the fact that (in contrast to a "normal" request) an AJAX request with a 401 response does *not* bring up the browser's own login dialog but resets the cached credentials. (I'm not fully sure about this, but there is such a workaround. It is also utilized by the Trac software.)

I will try to utilize that workaround for DM as well.

Hint: when dm4.security.read_requires_login is set to false the problem does *not* occur. Logout works fine in this case. The browser's own login dialog is not involved then.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #423

    • Property Status changed from new to accepted
    • Property Area changed from Runtime Environment to
    • Property Module changed from to deepamehta-accesscontrol
    • Property Summary changed from Karaf distro: logout doesn't work to Logout doesn't work
    • Property Priority changed from Major to Critical
    • Property Owner changed from dgf to jri
  • Ticket #423 – Description

    initial v1  
    11When logging out the "logged-in" status (upper/right corner) disappears but the user actually remains logged in. While logging out in the the server-log you see 2 (!) new sessions are created immediately. 
     2 
     3This happens only in case the `dm4.security.read_requires_login` DM config property is set to `true`. Otherwise Logout works fine.