Closed Bug 287957 Opened 19 years ago Closed 6 years ago

need a way for content to trigger a clearing of the HTTP auth session from script (.htaccess logout)

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jan, Unassigned)

References

(Depends on 1 open bug)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Since version 6 (SP1) MS Internet Explorer has had the function
ClearAuthenticationCache
<http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/clearauthenticationcache.asp>
which makes it easy to perform a .htaccess logout. I understand there is no
similar function in Firefox, and this makes users prefer IE for certain tasks.

I ask that ClearAuthenticationCache functionality is implemented in Firefox as well.

Reproducible: Always

Steps to Reproduce:
1. Perform .htaccess login
2. Realize that you can not log out if you use Firefox
3.
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c55

This is/will be implemented via UI but not with DOM0
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Component: Security → General
Resolution: --- → WONTFIX
There is similar function in Moz. Just no UI. Install Web Developer Tool (an
extension) and you'll get an UI for this.
http://www.chrispederick.com/work/firefox/webdeveloper/
That's not similar at all. That allows users to manually log out of HTTP auth.
This bug was filed about giving *sites* the ability to clear the client's auth
and force the client to reauthenticate. Specifically, Microsoft's
ClearAuthenticationCache mechanism.

Frankly it's not such a bad idea. Merchants can be on the hook to credit card
companies if the user cries "fraud" (in the US, anyway). I'm sure they'd love
the opportunity to make sure the user was really and truly logged out when they
hit the log-out button on the page. Even if we have logout UI (and we do in the
Suite) not many people are going to know to use it if they think they've done
all they need to by clicking the "log out" button on the site.

I can't see us supporting MS's syntax, though, and if we don't what is the
likelyhood that sites would write code just for Firefox? Also a site shouldn't
be able to log you out of all sites, just that one.
Well, 

it would clearly be best for developers if we could use the same code for IE and
FF. But presently we have a choice for IE and no choice at all for FF. If it is
absolutely neccessary to have a syntax different from IE I would still prefer
that, compared to no syntax at all.....
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → EXPIRED
To me, this problem is as important as it was when I originally reported it. It
is also the reason some of our users need to use IE. Unfortunately I am not able
to help more than this, informing about the problem.
Status: RESOLVED → UNCONFIRMED
Resolution: EXPIRED → ---
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 324976 has been marked as a duplicate of this bug. ***
I'm a website developer and I'm using http-authentication on my site.

The first time when a user access my page he/she is asked for username and
password through browser authentication box.

After user leaves the site (using a logoff page), if he/she doesn't close the
browser window or manually clears the authentication cache, if he/she returns
to site again, the authentication box isn't displayed, because the username and
password are stored on browser cache. 

Working with Internet Explorer, I use the javascript code
document.execCommand("ClearAuthenticationCache") on the logoff page and when
the user comes back to site, a new authentication box is displayed, since
authentication information was cleared from cache.

I was looking for a way to make the same thing on Firefox because I want to
make it compatible with FF, too.

After a long search and various posts on messages boards of Mozillazine, some
users told me to create a request in Bugzilla, because there´s no currently way
to programatically clears cache of HTTP Authentication in FF, like IE does with
the ClearAuthenticationCache command.

I think this missing feature makes user information vulnerable. On public
computers, if a user forgets to close browser window or clear the
authentication cache manually, other users that use the same computer can acess
the site using previous credentials entered, since the browser will not ask for
a username and password again.

I'm asking for a way to perform this task (clear authentication cache) programatically, using javascript or something like it to clear authentication cache without user intervention. 

On this site you can reproduce problem: http://gemal.dk/browserspy/password-works.html
Username: test   Password: test

See the link "flush all credentials" on the page. Use IE to see what I need to
do with FF too. 

1. Acess http://gemal.dk/browserspy/password-works.html using IE
2. Username: test   Password: test
3. Refresh the page to ensure that you are authenticated
4. Click the link "flush all credentials"
5. Refresh the page and IE will ask for username and password again

I need to make the same thing with FF.

I think is not a hard work since there's a menu item on FF that does this job.
Exposing a way to log a user out of _all_ authenticated sessions without interaction in the same way IE works isn't something I want to expose to web content?  Why should foo.com be able to log me out of bar.com?

That said, being able to log out of the current HTTP auth session (i.e. if I'm logged into foo.com, foo.com can log me out of foo.com) would be acceptable, though I'm not sure why the site can't kill the session itself.
In my opinion, if you come out of a site that requires authentication, your authentication cache was to cleared automatically and when you come back to site, you must be requested to authenticate again. Unfortunately, W3 specifications are others (that needs to be changed) and the browser cache exists...

By the way, the existence of a function to clear only the current domain that calls it is a good start...
Hi,

Since my last post nothing was done and the time is ticking... I found scripts that try to exposa nsiHttpAuthManager.clearAll() method of XPCOM without sucess.

Look it:

<script language="javascript"> 
<!– // 
function clear_autentificacion() { 
try{ 
if (document.all) { 
// IE clears HTTP Authentication 
document.execCommand("ClearAuthenticationCache"); 
} else { 
netscape.security.PrivilegeManager. 
enablePrivilege("UniversalXPConnect"); 
authenticationManager = Components.classes["@mozilla.org/network/http-auth-manager;1"].getService(Components.interfaces.nsIHttpAuthManager); 
authenticationManager.clearAll(); 
}} catch(e) { 
} 
} 
</script> 

I think that using this script, I could clear authentication cache of FF, but It didn't work...

By now, I'm clearing cache of FF using this code on mysite.com:

<script language="javascript" type="text/javascript"> 
<!-- 

function LimpaAuth() { 
try { 
if (document.all) { 
// Limpa autenticacao do IE 
document.execCommand("ClearAuthenticationCache"); 
window.location = "about:home"; 
} else { 
window.location = "http://logout:logout@mysite.com"; 
window.home(); 
} 
} catch(e) { 
// Em caso de erro exibe mensagem ao usuário 
alert("It was not possible to clear your credentials from browser cache. Please, close your browser window to ensure that you are completely logout of system."); 
self.close(); 
} 
} 

// --> 
</script> 

It's ridiculous to use the syntax user:pass@site.com to clear authentication cache but it's the only thing that is working to clear the FF cache programmatically.

We need a clean way to do this right now!!!
Hixie, is this something WHAT-WG should spec?

Darin, do we have an iface that will clear a single site's authentication? (I seem to remember we don't.)
Assignee: dveditz → nobody
Please note that I need solutions that "belongs" to browser by default.

Various users will not agree to install extensions to perform clean-up of cache.

What is there to spec? Surely this should just be a menu item?

There have been suggestions that you should be able to submit a form to HTTP auth, but it's not clear how that would work.
Hixie: See comment #12.  I believe the bug is about providing a Javascript-based API to clear the auth cache.

Dveditz: Right, there isn't an API provided for this.  We'd want to extend nsIHttpAuthManager to provide one.
What we need is a method in JavaScript to clean the cache. Not a menu item! (This already exists).

We need a way to clean the cache programmatically (using JavaScript).

Note that I try to use nsIHttpAuthManager in the script below without sucess:

<script language="javascript"> 
<!– // 
function clear_auth() { 
try{ 
if (document.all) { 
// IE clears HTTP Authentication 
document.execCommand("ClearAuthenticationCache"); 
} else { 
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); 
authenticationManager = Components.classes["@mozilla.org/network/http-auth-manager;1"].getService(Components.interfaces.nsIHttpAuthManager); 
authenticationManager.clearAll(); 
}} catch(e) { 
} 
} 
</script>

I know for this script run in FF I need to changed the "signed.applets.codebase_principal_support" parameter to "true". I did it, but without success to clean FF http cache.
anything in the js console?
(In reply to comment #18)
> anything in the js console?

No. It runs with any errors but doesn't clear the cache.

I run it on logout page. It gives me a security warning about the script. I click on "Allow" button, to allow script to run, and it runs without errors, but, when I return to site, I access it without user/pass dialog box.

Another problem is the security alert because some users can be scared with it.
I found another script to clear the cache of FF.

It uses a xmlhttp object to access the site with non-existent credentials, clearing the cache.

Look it:

<script language="javascript" type="text/javascript">

try{
  var agt=navigator.userAgent.toLowerCase();
  if (agt.indexOf("msie") != -1) {
    // IE clear HTTP Authentication
    document.execCommand("ClearAuthenticationCache");
  }
  else {
    // Let's create an xmlhttp object
    var xmlhttp = createXMLObject();
    // Let's get the force page to logout for mozilla
    xmlhttp.open("GET",".force_logout_offer_login_mozilla",true,"logout","logout");
    // Let's send the request to the server
    xmlhttp.send("");
    // Let's abort the request
    xmlhttp.abort();
  }
  // Let's redirect the user to the main webpage
  window.location = "/rest/";
} catch(e) {
// There was an error
alert("there was an error");
}

function createXMLObject() {
    try {
        if (window.XMLHttpRequest) {
            xmlhttp = new XMLHttpRequest();
        }
        // code for IE
        else if (window.ActiveXObject) {
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
    } catch (e) {
        xmlhttp=false
    }
    return xmlhttp;
}
</script>

It is a **** way to clean the cache, but it is a solution, since FF does not have another way to allow web developers to programmatically clean its cache.

You can test this script in action at the author's site (http://nanodocumet.homedns.org/rest/)
QA Contact: firefox → general
I've heard of one case where this is blocking institutional roll-out of Firefox. The situation is shared machines accessing an intranet and credentials being exposed to others. It's especially bad on Mac where closing the last browser window (but not exiting the app) doesn't clear the credentials like it does on Windows. Offering the intranet app a mechanism to clear credentials via JS would give Firefox parity with IE and make it easier for some institutions to switch to Firefox.
Flags: blocking-firefox3?
Moving to core, this is a Necko issue.
Flags: blocking-firefox3?
Component: General → Networking: HTTP
Product: Firefox → Core
QA Contact: general → networking.http
Summary: No .htaccess logout with FireFox → need a way for content to trigger a clearing of the HTTP auth session from script (.htaccess logout)
More than two years since this has opened and this is single handedly preventing me as a intranet web programmer from implementing NTLM Authentication.  I can *not* rely on users to close their browser.  This lack of functionality makes NTLM authentication a big security risk.
I was able to get the solution mentioned by Ilanio above to work when I delayed the xmlhttp.abort(); a bit, like this:

setTimeout("xmlhttp.abort();", 100);

But I still really miss this functionality in Firefox - the easiest solution in a Windows community is to use IE.
With increased use of OpenID and scripts such as phpMyId[1], which use HTTP Digest Authentication, the user risk involved in this issue is significantly increased. Once a user authenticates with such a script, a password is not required for *any* OpenID-enabled Web site to which the user has an account.

Perhaps this is the fault of the script, but Firefox should supply some kind of mechanism for sites to clear the AUTH cache.

[1]: http://siege.org/projects/phpMyID/
We need some sort of spec for a sane way to log out a specific HTTP auth.  The IE solution is terrible, one app shouldn't be able to log a user out of every http auth app they're using, especially without interaction.  That type of model makes sense for a single window, single tab scenario (i.e. 1999) but in a "I have 137 tabs open" world its harmful to users.
Calling the code

   document.execCommand('ClearAuthenticationCache',true);

in Firefox 2.0.0.13 throws me an exception:

uncaught exception: [Exception... "Not enough arguments"  nsresult: "0x80570001 (NS_ERROR_XPC_NOT_ENOUGH_ARGS)"  location: "JS frame :: http://...:81/ :: onclick :: line 1"  data: no]
This bug has some good(and very long) discussion on how to implment this via content.
https://bugzilla.mozilla.org/show_bug.cgi?id=55181 

This post mentions how this is suggested by w3c
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c10

My favorite suggestion for implementing this is a link for a specific domain and realm:
about:logout?protocol=http&domain=www.zope.org+realm=Zope

logout of all domain-realms:
about:logout?protocol=http&domain=www.zope.org+realm=*

logout of all domains:
about:logout?protocol=http&domain=*

originally suggested 
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c22
and refined
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c36

Loading a magic URL isn't the ideal API to use from script.

I'd suggest a simple API on the 'navigator' object, say, 'dropAuthentication', taking no parameters. It would just drop whatever authentication was used to load the current document.
I can't believe it, periodically I face always the same problem. I think the first time that I have discovered that IE was able to clear the authentication cache and FF wasn't, was in 2006. Now is about 4 YEARS that the users are asking for a way to clear the authentication cache and still there is any solution.
I can imagine that the IE way is "so horrible", but at least they offer a solution. Is it "so horrible" to offer the same method as IE? At least meanwhile you guys think to the best way to do it (how many years do you still need?) we have at least something usable.
I think it's very easy to write a patch which implements the ClearAuthenticationCache function of Internet Explorer using nsIHttpAuthManager, but I can't write the patch for you cause I'm not a C programer.
it's not even possible from chrome js to remove a single entry.  certainly no content should clearAll and no chrome would want to.  just a matter of exposing:

http://mxr.mozilla.org/mozilla1.9.2/source/netwerk/protocol/http/src/nsHttpAuthCache.h#243
See also WebKit bug <https://bugs.webkit.org/show_bug.cgi?id=44823>.
Same comment as many others.  Please find some way to add the ability to clear the authentication.

At the very least you could support document.execCommand('ClearAuthenticationCache') but only clear the authentication cache for the current domain.

A better option would be something like: window.ClearAuthenticationCache();

Being able to Log Off from a site is such a basic option that this should really be a no-brainer.   Even if you ask the user before clearing the credentials then that would still be a huge improvement over doing nothing.

Thank you.
(In reply to Ilanio Castro from comment #20)
> I found another script to clear the cache of FF.
> 
> It uses a xmlhttp object to access the site with non-existent credentials,
> clearing the cache.
> 

Unfortunately, Firefox is now caching credentials so this technique no longer seems to work. See ticket #654348

https://bugzilla.mozilla.org/show_bug.cgi?id=654348
Bump.
So, how are users supposed to log out?
Should we (webmasters) just instruct them to use IE, which has this feature?
Are really 10 years needed to move forward on this issue?

Also don't forget about SSL client certificates, that have the same issue: they can "log in", but can never leave, as the song goes...
Bump
maybe the dom team can give some ideas.. http doesn't have a semantic
Component: Networking: HTTP → DOM
Bump. Still very much needed! Thanks.
I once proposed Session Management as an alternative to a logout or clear function on WhatWG mailing list. Perhaps this could still be useful.

In short:
- The website starts a session with window.sessionStart().
- With this the user-agent creates a new session context. The current session context becomes its parent.
- The new session context is only valid for the current window. Just like sessionStorage. A possible exception could be opening new windows with the window.open function.
- Any new http-auth tokens (either through XHR or UA-screen), sessionStorage data or session cookies will belong to the new session context and not its parent.
- Any lookup for http-auth tokens, sessionStorage or session cookies done by the UA will not only look in the current session but will also traverse it parents. Script will be totally unaware of this.
- When the website calls window.sessionEnd() the current session is destroyed with all http-auth tokens, sessionStorage data and session cookies that belong to it. And the parent session becomes the current session again.
- Alternatively if the user closes the current window or navigates to another domain, the session also ends. In my origal proposal the is optional, specified by script as a boolean to the window.sessionStart function, defaulting to true.

Script can now also set a timeout, ending a session after a period on inactivety and replace the current page with a message and offer the user to login again.

This seems to me like a doable enough interface. That solves more than just the one issue of not being able to logout. Adding just two functions sessionStart/sessionEnd. Is totally backwards compatible as long as sessionStart/sessionEnd are never used. Do not impact anything beyond it's own window. Allows the user to have multiple sessions. Single sign on behavior could also be implemented this way. When a script calls sessionStart a UA can prefill the new session with http-auth tokens from some store. Now the UA no longer needs to ask for credentials and script will be blissfully unaware.

I hope the idea helps.
Thanks Dave, great contribution. As said, still... this is very much needed and requested by our customers.
I'm going to close this as there's no standard for this feature. A reasonable place to request this functionality to be standardized would be https://github.com/whatwg/fetch, which sort of bridges the JavaScript API / HTTP world. Happy to help any requests out there.
Status: NEW → RESOLVED
Closed: 19 years ago6 years ago
Resolution: --- → INVALID
I don't think it's a good idea to close RFE's just because there is no standard.

See CSS. Most of the features which are now standard were first non-standard, proprietary extensions of some browser. Same with JavaScript's many features and TypeScript's experiments getting to ES 6 etc.

Just saying.
I agree with Ondra on this one.

Pawning off a 13-year-old RFE, especially one that still has the folks who have voted for it coming around to see if there is any movement on it, to some other project seems rather inconsiderate and short-sighted.
Component: DOM → DOM: Core & HTML

For anyone viewing this in the future, your needs might be served by the Clear-Site-Data HTTP header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

@tigt, but is it? As the MDN article suggests, Clear-Site-Data can be used to currently clean: "cache", "cookies", "storage", "executionContexts". There is no mention of cleaning the current SSL session / authentication cache of a browser? No mention of basic auth. or SSL client certificates in the article. If it really only clears cache, cookies and storage and cleaning executionContexts behaves like Location.reload(true), it'll not help for those log-in mechanisms relying on basic auth. or client certificates.

@tigt, @kris(In reply to Kristian Kraljic from comment #47)

Clear-Site-Data HTTP header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data

Even if that worked, it would be too much of a big stick. If I want to logout, I likely still want the website to remember me when I return.

(In reply to AnthonyV from comment #48)

Even if that worked, it would be too much of a big stick. If I want to logout, I likely still want the website to remember me when I return.

Well, I would assume Clear-Site-Data is fine, if it clears cookies, storage and cache, the browser will still remember e.g. saved passwords for a page. So I mildly disagree that Clar-Site-Data is such a "big stick" as you said. I would even say adding a Clear-Site-Data "ssl-session" and "basic-auth-cache" directive, would solve everyones misery in this thread. But as pointed out in this thread many times, there'd be many possible solution how to solve this from an API perspective. The much more interesting discussion is, how browsers could handle this reset technically.

You need to log in before you can comment on or make changes to this bug.