Logging Out of the CP

[Raven]

Is it just me... or does the logout button not work in the CP? I'm using Firefox 1.0.

[Spathiphyllum]

Happens the same way in Mozilla 1.x but does log you out of Opera by closing the window/tab instance.

And I refuse to test it in MSIE.

[Raven]

Well, its good to know I'm not alone then at the very least. Don't blame you for not wanting to use MSIE either! I'm pretty much the same way.

[JonathanB]

I've been using the family of Mozilla browsers for quite a while and I don't believe the logout button ever worked with those browsers.

[sycopathman]

I can't log out either.

[Vin DSL]

Hello?!?!?

All that button does is close your browser. You can do that manually, if you want to.

Personally, my question is: who cares? Unless you guys are maintaining your web sites from public libraries, or whatever, what difference does it make?

[jason]

CPanel uses HTTP authentication. Apache pretty much sums it up in their documentation with this:

How do I log out?

Since browsers first started implementing basic authentication, website administrators have wanted to know how to let the user log out. Since the browser caches the username and password with the authentication realm, as described earlier in this tutorial, this is not a function of the server configuration, but is a question of getting the browser to forget the credential information, so that the next time the resource is requested, the username and password must be supplied again. There are numerous situations in which this is desirable, such as when using a browser in a public location, and not wishing to leave the browser logged in, so that the next person can get into your bank account.

However, although this is perhaps the most frequently asked question about basic authentication, thus far none of the major browser manufacturers have seen this as being a desirable feature to put into their products.

Consequently, the answer to this question is, you can't. Sorry.

CPanel does, however, get around this in webmail, where the logout link does work. I'm not exactly sure how they implement that, but I'm curious to find out.

--Jason

[Raven]

At times I do login to the control panel from computers other than my personal one, so in reality it does make a difference to me. But, I did assume that the logout did more than just close the browser window. Now that I know more about the situation, thanks to jason, I can let go of my worries.

[Vin DSL]

LoL!

Look, once you are authenticated, using basic auth, you stay authenticated as long as the browser is open. If you close the browser, manually or otherwise, you have to authenticate again. If you'll pardon the pun, this is 'basic authentication' 101...

All that button does is close your browser...

Here's the actual code:

Code:

"<a href="#" onClick="self.close()"><img src="images/topbar_logout.gif" width="55" height="45" border="0"></a>

That button is just a convenience... a 'crutch', if you will... and that code doesn't work with Mozilla browsers...

Cookie authentication is a whole different matter. It doesn't matter if you close the browser or not. The cookie lives as long as it lives. Many times, it will live forever. So, if you use a public terminal, like at work, ALWAYS make sure that you not only close the browser, but you delete all the cookies. Otherwise, you're leaving yourself wide open!

This is probably where you are confused, Raven... With cookie auth, when you logout, you are killing the cookie. You don't have to close the browser to kill the cookie. With 'basic auth', you cannot kill auth until you close the browser. In other words, you cannot logout using 'basic auth' the same way you do with cookies...

[phluidphil]

as a side note, if you *truely* want to logout of cpanel, make sure *ALL* mozilla browser windows are closed and associated e-mail programs. If you leave mozilla mail open it will still keep your basic auth. information in memory even if you have all mozilla browser windows closed.

This goes for all browsers and their associated email program. (Firefox, Mozilla, IE).

[Vin DSL]

CPanel uses HTTP authentication. Apache pretty much sums it up in their documentation with this:

How do I log out?

...the answer to this question is, you can't. Sorry.

--Jason

And, I'm "Sorry" for digging up this old bone, but look what I just found, Jason...

http://www.free-php.org/index.php?ca...th entication

[jason]

And, I'm "Sorry" for digging up this old bone, but look what I just found, Jason...

http://www.free-php.org/index.php?ca...th entication

I figured something kludgy like that could be done, but I never bothered to try.

Firefox's Web Developer toolbar happens to have a "Clear HTTP Authentication" option in the Miscellaneous menu, too.

--Jason

[Vin DSL]

I figured something kludgy like that could be done, but I never bothered to try...

Yeah, exactly!

Unlike you, I "bothered to try" a bunch of these 'solutions', so called, and all they are is smoke n' mirrors. In all cases, they don't actually log you out. What they do is log you in, a second time, with a bogus ID, or whatever, throwing your browser a 401. Sheesh!

What a bunch of BS! All you have to do is hit the 'back button' in your browser, and you're right back in again with the original credentials.

This is a browser issue, pure and simple. Until authors decide to add a button to destroy the credentials (as you pointed out with Firefox) there will be no TRUE logging out of basic auth. It cannot be done at the server level - period - exclamation!

[jason]

For anyone who cares, here's the basics on basic authentication:

When you request a page that requires authentication and you haven't yet logged in to that site and realm already the server returns a 401 status (Not Authorized). The browser sees this, checks to see if it knows a username and password for the specified realm. If it does, it resends the request along with the username and password. If it can't find a match it prompts the user to log in.

With each login attempt the request for the given URL is resent to the server. If the attempt is valid (good credentials) then the server returns the page. If they are not then the server returns another 401 status. Generally the browser keeps track of how many consecutive bad logins occur in a row and after a limit (generally 3) is reached it show's the browser's 401 page instead of prompting.

From then on, the username and password are sent with every request to the server that requires authentication. Since HTTP is a stateless protocol the server must reauthenticate the user for each page requested. Also note that the username and password is sent in the clear (unless you use HTTPS).

With HTTP, the browser makes requests to the server and the server fills them. The server can't make a request to the browser, so there is no way for the server to tell the browser to forget the credentials it has cached. Even if it could, there's no guarantee that browsers would even listen since they are free to pretty much do what they want with the data the browser returns.

--Jason