Ticket #471 (closed Defect: fixed)

Opened 12 years ago

Last modified 11 years ago

The browser's login dialog appears on logout

Reported by: jri Owned by: jri
Priority: Major Milestone: Release 4.2
Component: DeepaMehta Standard Distribution Version: 4.1
Keywords: Cc: dgf, Malte, tsc
Complexity: 8 Area: GUI / Usability
Module: deepamehta-accesscontrol

Description

This is because DM relies on request authorization provided by HTTP. However HTTP has no concept of a user session or logout. As a workaround the browser's login dialog appears at logout. See also #423.

Note: at the time the login dialog appears the user is already logged out. It is safe to press Cancel.

However from the usability perspective this workaround is unacceptable.

A solution would be to not rely on HTTP for authorization but handle it at application-level. A 401 response (Unauthorized) must never be sent to the client. This requires considerable modification of DMs Access Control and Security implementation. In particular the concept of a private DM installation must be reconsidered.

Change History

comment:1 Changed 12 years ago by jri

Some findings: some browsers bring up theirs login dialog on a 401 response resulting from an AJAX request, some don't:

  • Safari 5.1.9 (Mac OS X 10.6) does NOT
  • Google Chrome 27 DOES
  • Firefox 15 DOES
  • Firefox 19 does NOT
  • Firefox 21 (the latest as of this writing) does NOT

This doesn't help so far.
However, its interesting to see that Firefox has apparently changed its mind (to the better I think) during the the past releases.

comment:2 Changed 12 years ago by jri

I've found a very promising discovery here:
http://loudvchar.blogspot.ca/2010/11/avoiding-browser-popup-for-401.html

With some trial and error, we found that the pop up is triggered not due to the presence of 401 but due to the presence of the challenge.

WWW-Authenticate: Basic realm=com.example

So, as a web service developer, if you want to help service consumers disable the pop up and still send 401, you could use a trick. Replace Basic with your own scheme, e.g. xBasic as shown below.

WWW-Authenticate: xBasic realm=com.example

This way the DM server can control purposefully weather the browser's login dialog should appear on a 401 or not. And its still HTTP conform. (HTTP 1.1 RFC 2616 states that a WWW-Authenticate header MUST be present in a 401 response).

Note: a private DM installation still relies on the browser's login dialog, while a default DM installation must suppress it.

I checked it with Google Chrome. It works!

Last edited 12 years ago by jri (previous) (diff)

comment:3 Changed 12 years ago by Jörg Richter

Access Control: suppress login dialog (#471).

In a default DM installation: the browser's login dialog does not appear anymore when logging in via DM's login dialog failed. You keep staying in DM's login dialog. This applies in particular to Google Chrome.
Bottom line: in a default DM installation the browser's login dialog never appears. Regardless of browser (Safari, Firefox, Chrome).

However, in a private DM installation (dm4.security.read_requires_login=true) there is still an issue with logout: in Firefox and Chrome the browser login dialog still appears when clicking the Logout link. Remember: this dialog is a "dummy", you can press Cancel and you're logged out properly.

See ticket 471.

comment:4 Changed 11 years ago by jri

  • Status changed from new to closed
  • Resolution set to fixed

While the browser login dialog is not prohibited in any situation the current state provides a significant improvement. This ticket is regarded as complete.

Note: See TracTickets for help on using tickets.