Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Am I right in thinking that a user can never log out by clicking the "Logout" button, when using this module? Is there another clean way of logging the user out? It's a security risk if they can't log out.
Thanks
Comments
Comment #1
kswan CreditAttribution: kswan commentedstodge:
It is important to understand that this module defers authentication to the webserver (usually Apache or IIS). At that point, all security depends on the configuration of the webserver. Drupal and webserver_auth have no way to control the configuration of the webserver.
If you have set access control on the whole drupal directory, the user must be authenticated (with the webserver) to see any page. Any unpatched version of webserver_auth will automatically log the user into drupal when they visit any page. If a user needs to logout so they can log in as a different user, please see the patch in #22981: Logout after NTLM login.
I am not sure what kind of security risk you are referring to, but any security risk depends on the webserver configuration and the security of the client PC.
Comment #2
kswan CreditAttribution: kswan commentedoops, I set the status incorrectly.