Menu
▾
▴
#504 HTTP "WWW-Authenticate: Basic" log out fixation
closed-out-of-date
nobody
5
2015-07-25
2010-03-25
No
The patch is change mechanism of HTTP "WWW-Authenticate: Basic" log out fixation which is describe into Limitation FAQ 3.1
Modified Files: ./libraries/auth/http.auth.lib.php
The mechanism implement with session and redirection to set session variable
./libraries/auth/http.auth.lib.php.diff
The patch contains even non-changed lines, it's difficult to see what has changed.
However, I'm not sure we want to include such complex code just to fix this kind of problem.
so, what need to do. please suggest... i know its complex but i feel, the change need badly
anyways, pls suggest what to do
the code that i modified to fix the error
You might not know this but in general we want to avoid redirections. There are a few in the code but we tend to remove them. Also, this limit has been there for many years and I don't feel that the change is "needed badly". Finally, I don't have the time right now to understand the complex code; adding complex code to a code base is not a good idea. anyway
This patch can stay there in the tracker for some future time. Meanwhile please submit another, more simple patch about another subject, but first ask us if the feature or fix are needed.
Also, a patch should contain only the changed lines, not all the lines like what you submitted!
well... if you have support for test the code pls arrange.
one more request can you pls assign a small problem that need to fix....
You can try this one:
https://sourceforge.net/tracker/?func=detail&aid=2973949&group_id=23067&atid=377408
but I don't know if it's a small problem.
Maybe it's better to pick something in the feature requests tracker.
Do I read it correctly that the main functionality is to change realm on logout? I think such functionality can be implemented in much fewer lines.
yes you got it... change realm on logout...
there has another challenge that when user click on cancel button without provide user id and password.
if you analysis the flow of "WWW-Authenticate: Basic" then you find it just complete run before any output to client. so session set before take action of "WWW-Authenticate: Basic"... so, you can't get when user click cancel button...
for getting user's interaction the code needed for redirection
Can you please provide patch which does just minimal required changes, possibly separated into two steps - changing realm on logout and the redirection magic. The currently attached patch is too complex to review and IMHO does too much things.
Any progress on this?
clean code with example
i just make a clean file of authentication and a separate file for example..