rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: Stilez on November 12, 2014, 10:29:23 AM

Title: Old question but...
Post by: Stilez on November 12, 2014, 10:29:23 AM
I can see on the forum several people asked, and were told long ago, that there is no logout button, they should just "close their browser".

I just visited my HFS server in IE11 (Win8.1), opening a new tab to do so. I finished with my session, so I closed the tab as indicated by the info pages on HFS. In theory if it's stateless and just using HTTP header information, that information should have all been lost when I close the tab. But that isn't what happened. I opened a new tab and retyped the server URL "fresh", and it returned me to the logged-in page immediately.


1) Where is the login-state information that I am seeing, after closing the tab and in a fresh tab retyping the URL, coming from? Is there some other persistent mechanism at play that needs some different kind of logout process?

2) Most browsers by default auto-preserve session data in case of crash, or if the user may wish to undo the close action in this or a subsequent session. As it's unlikely that HFS will be the only tab in use, and one cannot easily verify whether session data is always deleted, does this mean that someone else can retype the URL or reopen the last closed tab, and will find state is auto-restored for it, in many cases? If that's likely, then what precautions are needed in addition to closing the tab, to ensure the server session cannot be resumed by simply CTRL-T "undo close tab" or "restore last session"?

3) Can the server distinguish between an open but idle session (the browser is open, requests would be valid but are not being "clicked") and a closed one (the browser has been closed or the computer or link have crashed, requests should not be valid unless logged in again)?  If not then it's hard to know what to set for a login that should be left open indefinitely but with login required upon each new session.


Any help on these appreciated, thanks
Title: Re: Old question but...
Post by: bmartino1 on November 12, 2014, 09:33:18 PM
as previously posted in the forums you might have seen, it has to do with many factors..

For instance lets take fire fox here:
https://support.mozilla.org/en-US/kb/fix-login-issues-on-websites-require-passwords
fire fox, use cookies to hold its authentication (there more and other but to jsut simlfy...)
the "login " are in cookies form..

In order to log out you must clear the cookie cache and or delete browsing data...
In actuality, it is a browser issues not HFS...

Hfs is only authenticating the log in and is not supplying a current session (to log out) ....
as (multiply random ports open for normal web trafic)

Now for instance,  In chrome (the same is true) except you have to delete some user data cache...

in Internet explorer, you can (might be able, not tested...) accomplish this via the "nomerge" option:
http://support.microsoft.com/kb/968341
-----------------

As for the issue at hand, HFS to my knowledge doesn't have the functionality to act to accommodate all Authentication Methods... Example: login and log out...

There are other known web programs that do suchas

(ubuntu LAMP) http://httpd.apache.org/ using .htacess on apache
Windows IIS...http://www.iis.net/ ...

http://msdn.microsoft.com/en-us/library/ee825205(v=cs.10).aspx

---
Although i think the programs such as rejeto might incorporate this later on.(hfs server side and webs side configuration and login and logout windows/funcatility

http://www.rejetto.com/forum/hfs-~-http-file-server/hfs-and-phpmysql/msg1059118/#msg1059118
(kind of why i was pushing a while back to incorapter PHP... mabe in hfs 3.0 or for quite some good time... )

I was able to get php to work a little in hfs:
see youbte link: (30 min going overe php login and logout-acount creations...)
http://www.youtube.com/watch?v=gav4HmZ8xe8
Title: Re: Old question but...
Post by: bmartino1 on November 12, 2014, 10:02:21 PM
in iis stack over flow:
http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication

---------
essentail what your waning to make the website/hfs do it:

Basic Authentication wasn't designed to manage logging out. You can do it, but not completely automatically.

What you have to do is have the user click a logout link, and send a ‘401 Unauthorized’ in response, using the same realm and at the same URL folder level as the normal 401 you send requesting a login.

They must be directed to input wrong credentials next, eg. a blank username-and-password, and in response you send back a “You have successfully logged out” page. The wrong/blank credentials will then overwrite the previous correct credentials.

In short, the logout script inverts the logic of the login script, only returning the success page if the user isn't passing the right credentials.

The question is whether the somewhat curious “don't enter your password” password box will meet user acceptance. Password managers that try to auto-fill the password can also get in the way here.

Edit to add in response to comment: re-log-in is a slightly different problem (unless you require a two-step logout/login obviously). You have to reject (401) the first attempt to access the relogin link, than accept the second (which presumably has a different username/password). There are a few ways you could do this. One would be to include the current username in the logout link (eg. /relogin?username), and reject when the credentials match the username.

----------------
Title: Re: Old question but...
Post by: rejetto on November 12, 2014, 10:12:34 PM
sadly you have to close the whole browser, not just a tab.

1) the browser keeps in memory your login, and resubmit it every time. This is a normal behavior, although the browser is not required to do so.

2) i expect quitting the browser is enough. Try yourself.

3) there's no such thing as a session for HFS. It's the browser, actually, having a session with credentials, that's terminated after quit. This is what HTTP offers by default, and it actually sucks, i know. It needs to be deeply changed and i had no time for such big change.
The template itself uses a cookie to have its own session, it uses for security and options, but it's not truly part of HFS and has nothing to do with credentials.