From issue 21814:

I still (download 4.7) see the behaviour (that's described in the original post) in Opera (win 9.02) and IE (win 6.0). I solved this wayback by adding a random number to all browsers but Firefox.

Here's how the "hack" looked then:

// fix logout on cancel in Opera and IE
$browser_user_agent = strtolower( $_SERVER['HTTP_USER_AGENT'] );
if (strstr($browser_user_agent, "gecko")) { //Firefox
  $realm = "gecko-browser";
}
else { //Opera, IE, others?
  $realm = mt_rand( 1, 1000000000 );
}
header('WWW-Authenticate: Basic realm="'.$realm.'"');

Comments

NaX’s picture

NaX commented

I tried this hack and it does seam to work. By changing the realm for IE and Opera the PHP_AUTH variables or cleared. This type of workaround would make the user defined Authentication realm feature pointless. Maybe we should look at modifying this workaround so that it adds a suffix to the realm. Its not ideal but maybe a good enough workaround for the time being. Until we find a better solution.

NaX’s picture

NaX commented

Here is how I implemented your workaround. From my tests it works. I will submit a patch later.
Maybe we should put this in as an admin selected feature. So the site admin can decide if he wants his realm modified.

Something like

Disabled
Enabled with web browser HTTP-AUTH security
Enabled with web browser HTTP-AUTH security, with browser logout workaround
Enabled with HTML login form

And some sort of description of what the workaround does.


    $realm = variable_get('securesite_realm', variable_get('site_name', 'drupal'));
    
    // fix logout on cancel in Opera and IE
    $browser_user_agent = strtolower( $_SERVER['HTTP_USER_AGENT'] );
    if (strpos($browser_user_agent, "gecko") === FALSE) { //Firefox
      $suffix = ' ,'. mt_rand(10, 99);
    }
    else { //Opera, IE, others?
      $suffix = '';
    }
    
    header('WWW-Authenticate: Basic realm="' . $realm . $suffix . '"');
    header('HTTP/1.0 401 Unauthorized');
junyor’s picture

junyor commented

Subscribing.

junyor’s picture

junyor commented

Let's leave out the browser checking and just do it for all browsers. It shouldn't hurt Mozilla. And how about a "-" between the realm and the suffix?

NaX’s picture

NaX commented

I test it the idea with firefox, but it does not work. Firefox only clears the AUTH variables when the dialog is presented to the user with the same realm that they were created with. I think Firefox is doing things correctly (shocker). I wish all browser would just work the same.

junyor’s picture

junyor commented

@NaX: I'll file a bug report with Opera.

NaX’s picture

NaX commented
Status: Active » Fixed

Committed to DRUPAL-4-7 and HEAD. Please give it a test.

anders.fajerson’s picture

anders.fajerson commented

Nice to see this implemented, it didn't show up in "my issues" (it was closed before the post about the new thread was sent) so I missed this. But to be fair, shouldn't I get credit for this patch? ;)

darren oh’s picture

darren oh
Primary language English
Location Lakeland, Florida
commented

Of course. This is all your work. I only closed the original issue because the unclosed tags in your last post made replies unreadable and I couldn't get the tags closed.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
NaX’s picture

NaX commented
Status: Closed (fixed) » Active

@Darren Oh
I was wondering if this is correct. ('htps:/')

  '#default_value' => variable_get('securesite_realm', ltrim($base_url, 'htps:/')),

I was thinking something more like this


  list($protocol, $ver) = explode("/", strtolower($_SERVER['SERVER_PROTOCOL']));
  ...
  '#default_value' => variable_get('securesite_realm', ltrim($base_url, $protocol . '://')),

If not feel free to close the issue.

NaX’s picture

NaX commented

Please disregard my suggestion. It wont work as you requires more than 1 line to call variable_get.

NaX’s picture

NaX commented
Status: Active » Closed (fixed)

  • Commit b82d929 on 5.x-1.x, 6.x-1.x, 6.x-2.x, 7.x-2.x, master, 8.x-1.x by NaX: 
    #91025 HTTP AUTH logout workaround. By Darren Oh