Ticket #471 (closed Defect: fixed)
The browser's login dialog appears on logout
Reported by: | jri | Owned by: | jri |
---|---|---|---|
Priority: | Major | Milestone: | Release 4.2 |
Component: | DeepaMehta Standard Distribution | Version: | 4.1 |
Keywords: | Cc: | dgf, Malte, tsc | |
Complexity: | 8 | Area: | GUI / Usability |
Module: | deepamehta-accesscontrol |
Description
This is because DM relies on request authorization provided by HTTP. However HTTP has no concept of a user session or logout. As a workaround the browser's login dialog appears at logout. See also #423.
Note: at the time the login dialog appears the user is already logged out. It is safe to press Cancel.
However from the usability perspective this workaround is unacceptable.
A solution would be to not rely on HTTP for authorization but handle it at application-level. A 401 response (Unauthorized) must never be sent to the client. This requires considerable modification of DMs Access Control and Security implementation. In particular the concept of a private DM installation must be reconsidered.
Change History
comment:2 Changed 12 years ago by jri
I've found a very promising discovery here:
http://loudvchar.blogspot.ca/2010/11/avoiding-browser-popup-for-401.html
With some trial and error, we found that the pop up is triggered not due to the presence of 401 but due to the presence of the challenge.
WWW-Authenticate: Basic realm=com.example
So, as a web service developer, if you want to help service consumers disable the pop up and still send 401, you could use a trick. Replace Basic with your own scheme, e.g. xBasic as shown below.
WWW-Authenticate: xBasic realm=com.example
This way the DM server can control purposefully weather the browser's login dialog should appear on a 401 or not. And its still HTTP conform. (HTTP 1.1 RFC 2616 states that a WWW-Authenticate header MUST be present in a 401 response).
Note: a private DM installation still relies on the browser's login dialog, while a default DM installation must suppress it.
I checked it with Google Chrome. It works!
comment:3 Changed 12 years ago by Jörg Richter
Access Control: suppress login dialog (#471).
In a default DM installation: the browser's login dialog does not appear anymore when logging in via DM's login dialog failed. You keep staying in DM's login dialog. This applies in particular to Google Chrome.
Bottom line: in a default DM installation the browser's login dialog never appears. Regardless of browser (Safari, Firefox, Chrome).
However, in a private DM installation (dm4.security.read_requires_login=true) there is still an issue with logout: in Firefox and Chrome the browser login dialog still appears when clicking the Logout link. Remember: this dialog is a "dummy", you can press Cancel and you're logged out properly.
See ticket 471.
Some findings: some browsers bring up theirs login dialog on a 401 response resulting from an AJAX request, some don't:
This doesn't help so far.
However, its interesting to see that Firefox has apparently changed its mind (to the better I think) during the the past releases.