On Fri, Jan 23, 2009 at 10:54 AM, Olemis Lang <ole...@gmail.com> wrote: > > On Fri, Jan 23, 2009 at 9:54 AM, Flatfender <flatfen...@gmail.com> wrote: >> >> As far as I understand the reason you can't do a real log out, is that >> Trac just hands off authentication to the web server, in most cases >> apache or tracd. The browser then caches the http auth so that the >> user doesn't have to retype it for every request. unless you >> implement a form based login as opposed to http auth based, this will >> not change. > > However I use Opera so I can control in detail a lot of things about > my browser activity (i.e. no need for plugins or extensions for > «trivial» things ;) ... so I see the > > <mysite> <path> trac_session > > cookie set ... and neither Apache nor tracd set this variable, but > instead Trac session system ... (... isnt it ? ;). > >> closing the broswer performs a real log out, or if your >> using something like firefox, and have the developer plugin, you can >> clear the http auth cache. > > ... using Apache the only thing I should do is to delete these > coookies ... using tracd the issue persists even if my cookies are > deleted ... this makes me think that Trac is involved ... somehow ... > or not ? > >> Trac developers are pretty clear on the >> fact that user authentication is left up to external methods(IE: http >> auth via what ever password store, pam, ldap, htpasswd, etc) as >> opposed to building login/logout session functionality into trac. >> > > ... yes ... only form based auth ... but logout links are provided by > Trac itself, disregarding the auth provider/handler involved ... so > these links should clear cookies, session data, ... and so on, so that > the next time the user visits the site, this data is not valid anymore > ... and this is not Apache or tracd responsibility IMHO since sessions > are managed by Trac itself ... CMIIW ... pls > > Otherwise ... how could I config Apache so as to allow users to logout ? > > -- > Regards, > > Olemis.
Your talking about two things here Authentication and Authorization. Authentication say who you are, Authorization say what your allowed to do. Trac delegates Authentication to the web server and as I said before the browser caches that. Trac does not use cookies for Authentication, it uses cookies for Authorization so it can save who you are, so you can then be validated against the permission system. Matt P. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to trac-users@googlegroups.com To unsubscribe from this group, send email to trac-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
