Cannot logout after authenticating

I was aware of the logout problem, but thanks for linking the issue! You're very helpful.

Because httpauth works differently, I cannot use the fix securesite uses (I think). The httpauth module does not send the WWW-Authenticate header unless access was denied, so it can't send another random realm.

So that means in addition to sending a 'random' realm, I need to check if the browser authenticates using this realm. In order to do that, I need Digest authentication. So that is to be done first.

So, digest authentication is no solution. See http://drupal.org/node/97658

Marked #147296 as a duplicate.

Note that this problem has a low priority because this module is not meant to be used from the browser, but from other clients like an RSS news reader.

In writing the HTTP auth module for the Gallery project, we discovered the following tricks for logging out with HTTP authentication:

Because most web browsers cache HTTP auth credentials, the Gallery logout link didn't work as expected after logging in with HTTP auth. Gallery correctly logged out the active user but the web browser simply logged in again with the next request.

To work around this, the HTTP auth module listens for the Gallery::Logout event and delegates to the httpauth.TryLogout view if necessary: http://gallery.svn.sourceforge.net/viewvc/gallery/trunk/gallery2/modules...

The TryLogout page tries clearing the browser's authentication cache by as many tricks possible:

* Ask browser to authenticate with bogus authtype:

GalleryUtilities::setResponseHeader('HTTP/1.0 401 Unauthorized', false);
GalleryUtilities::setResponseHeader('WWW-Authenticate: Bogus', false);

* Redirect with random username and password. This won't actually clear the browser's authentication cache but will replace it with an invalid username and password. Since Gallery ignores invalid HTTP auth credentials, this effectively logs the user out.

* Clear Internet Explorer's authentication cache with JavaScript:

try {ldelim}
{* http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/clea... *}
document.execCommand("ClearAuthenticationCache");
{rdelim} catch (exception) {ldelim}
{rdelim}

The TryLogout page redirects to the FinishLogout page for two reasons:

1. To replace the browser's authentication cache with an invalid username and password
2. To check that the user was indeed logged out. If the user was logged out, the FinishLogout page redirects back to the Gallery application. Otherwise it displays a warning advising the user to manually clear their authentication cache (Clear Private Data in Firefox).

The TryLogout page redirects to the FinishLogout page using JavaScript and falls back on a manual link. It can't use a 302 Found status because the page needs to load for the Internet Explorer JavaScript to execute and because we can't put an invalid username and password in a Location: header.

http://codex.gallery2.org/Gallery2:Modules:httpauth

Thanks, jablko, that's very helpful!

This looks very interesting. But how do I implement it?

I've installed the http authorisation module, enabled it and set "Promote HTTP authentication on pages:" to "node". Works fine, but can't logout.