D-Beaudet at NGA
Feb 23, 2009, 12:58 PM
Post #11 of 23
Slight enhancement to what Matt said. The logout button only disappears
if you are currently logged in via an Apache Auth mechanism, not if you
are logged in via Bricolage's auth mechanism.
For example, if you are logged in via Apache Auth, then as a Bric admin,
login as another Bric user from the user list page, the logout button
When you click logout from that user, you are then re-authenticated via
Apache Auth and taken immediately to your workspace page and the logout
button disappears again.
It very well might make more sense to keep the logout button all the
time, but if we do that we first have to define the contents of the page
that will be displayed when an Apache-authed user clicks logout.
In another system we have that is SSO-enabled, there's an interim page
that says something like: "You have been logged out of the system, click
the button below to return".
The whole point being that if I'm logged in with an Apache Auth
mechanism and I click logout, it doesn't make sense to be taken back to
the Bricolage login page with a username: password: dialog; and it seems
like a usability issue to have a button added to that page that says:
"login automatically with Apache authentication instead".
Hope this helps,
> -----Original Message-----
> From: David E. Wheeler [mailto:david [at] kineticode]
> Sent: Monday, February 23, 2009 3:47 PM
> To: devel [at] lists
> Subject: Re: Bric Auth
> On Feb 23, 2009, at 12:43 PM, Matt Rolf wrote:
> > As I mentioned prior, the code is almost ready to commit. However,
> > I want to pose a question to the list as to how we should handle
> > logouts before I commit it.
> > David B. coded the logout button to drop away when Apache
> > Authentication is in operation. At first I didn't think this made
> > sense, and suggested that we add a page that would kill the Bric
> > Session when the user clicks logout. But the more we've talked
> > about it here at Denison, the more David's implementation seems to
> > make sense. Reason being, apache doesn't care, it will still keep
> > you logged in even if the bric session is dead. And if someone's
> > using a SSO tool like CAS, then they might have their own url they
> > might want to direct to on login
> Is there no way to kill the Apache login?
> > So I'd like to get feedback from others as to the best way to handle
> > this. My current thought is to commit it as is (no logout button
> > when Apache Auth is on). Maybe we want to add a custom logout url to
> > bricolage.conf directory? I'm not sure.
> Not sure I follow you here.