Last Comment Bug 287957 - need a way for content to trigger a clearing of the HTTP auth session from script (.htaccess logout)
: need a way for content to trigger a clearing of the HTTP auth session from sc...
Status: NEW
:
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- enhancement with 26 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 324976 (view as bug list)
Depends on: 260839
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-27 15:44 PST by Jan Eri
Modified: 2016-08-22 02:14 PDT (History)
36 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Jan Eri 2005-03-27 15:44:58 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Since version 6 (SP1) MS Internet Explorer has had the function
ClearAuthenticationCache
<http://msdn.microsoft.com/workshop/author/dhtml/reference/constants/clearauthenticationcache.asp>
which makes it easy to perform a .htaccess logout. I understand there is no
similar function in Firefox, and this makes users prefer IE for certain tasks.

I ask that ClearAuthenticationCache functionality is implemented in Firefox as well.

Reproducible: Always

Steps to Reproduce:
1. Perform .htaccess login
2. Realize that you can not log out if you use Firefox
3.
Comment 1 Matthias Versen [:Matti] 2005-03-27 16:51:58 PST
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c55

This is/will be implemented via UI but not with DOM0
Comment 2 Ng Ming Hong 2005-03-27 23:11:59 PST
There is similar function in Moz. Just no UI. Install Web Developer Tool (an
extension) and you'll get an UI for this.
http://www.chrispederick.com/work/firefox/webdeveloper/
Comment 3 Daniel Veditz [:dveditz] 2005-03-28 00:31:18 PST
That's not similar at all. That allows users to manually log out of HTTP auth.
This bug was filed about giving *sites* the ability to clear the client's auth
and force the client to reauthenticate. Specifically, Microsoft's
ClearAuthenticationCache mechanism.

Frankly it's not such a bad idea. Merchants can be on the hook to credit card
companies if the user cries "fraud" (in the US, anyway). I'm sure they'd love
the opportunity to make sure the user was really and truly logged out when they
hit the log-out button on the page. Even if we have logout UI (and we do in the
Suite) not many people are going to know to use it if they think they've done
all they need to by clicking the "log out" button on the site.

I can't see us supporting MS's syntax, though, and if we don't what is the
likelyhood that sites would write code just for Firefox? Also a site shouldn't
be able to log you out of all sites, just that one.
Comment 4 Jan Eri 2005-03-28 14:37:11 PST
Well, 

it would clearly be best for developers if we could use the same code for IE and
FF. But presently we have a choice for IE and no choice at all for FF. If it is
absolutely neccessary to have a syntax different from IE I would still prefer
that, compared to no syntax at all.....
Comment 5 Gervase Markham [:gerv] 2005-09-27 01:43:12 PDT
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/
Comment 6 Gervase Markham [:gerv] 2005-10-13 10:13:28 PDT
This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.
Comment 7 Jan Eri 2005-10-13 22:14:11 PDT
To me, this problem is as important as it was when I originally reported it. It
is also the reason some of our users need to use IE. Unfortunately I am not able
to help more than this, informing about the problem.
Comment 8 Jo Hermans 2006-01-27 15:38:01 PST
*** Bug 324976 has been marked as a duplicate of this bug. ***
Comment 9 Ilanio Castro 2006-01-28 03:01:47 PST
I'm a website developer and I'm using http-authentication on my site.

The first time when a user access my page he/she is asked for username and
password through browser authentication box.

After user leaves the site (using a logoff page), if he/she doesn't close the
browser window or manually clears the authentication cache, if he/she returns
to site again, the authentication box isn't displayed, because the username and
password are stored on browser cache. 

Working with Internet Explorer, I use the javascript code
document.execCommand("ClearAuthenticationCache") on the logoff page and when
the user comes back to site, a new authentication box is displayed, since
authentication information was cleared from cache.

I was looking for a way to make the same thing on Firefox because I want to
make it compatible with FF, too.

After a long search and various posts on messages boards of Mozillazine, some
users told me to create a request in Bugzilla, because there´s no currently way
to programatically clears cache of HTTP Authentication in FF, like IE does with
the ClearAuthenticationCache command.

I think this missing feature makes user information vulnerable. On public
computers, if a user forgets to close browser window or clear the
authentication cache manually, other users that use the same computer can acess
the site using previous credentials entered, since the browser will not ask for
a username and password again.

I'm asking for a way to perform this task (clear authentication cache) programatically, using javascript or something like it to clear authentication cache without user intervention. 

On this site you can reproduce problem: http://gemal.dk/browserspy/password-works.html
Username: test   Password: test

See the link "flush all credentials" on the page. Use IE to see what I need to
do with FF too. 

1. Acess http://gemal.dk/browserspy/password-works.html using IE
2. Username: test   Password: test
3. Refresh the page to ensure that you are authenticated
4. Click the link "flush all credentials"
5. Refresh the page and IE will ask for username and password again

I need to make the same thing with FF.

I think is not a hard work since there's a menu item on FF that does this job.
Comment 10 Mike Connor [:mconnor] 2006-01-29 14:05:55 PST
Exposing a way to log a user out of _all_ authenticated sessions without interaction in the same way IE works isn't something I want to expose to web content?  Why should foo.com be able to log me out of bar.com?

That said, being able to log out of the current HTTP auth session (i.e. if I'm logged into foo.com, foo.com can log me out of foo.com) would be acceptable, though I'm not sure why the site can't kill the session itself.
Comment 11 Ilanio Castro 2006-01-30 13:52:19 PST
In my opinion, if you come out of a site that requires authentication, your authentication cache was to cleared automatically and when you come back to site, you must be requested to authenticate again. Unfortunately, W3 specifications are others (that needs to be changed) and the browser cache exists...

By the way, the existence of a function to clear only the current domain that calls it is a good start...
Comment 12 Ilanio Castro 2006-06-10 16:24:12 PDT
Hi,

Since my last post nothing was done and the time is ticking... I found scripts that try to exposa nsiHttpAuthManager.clearAll() method of XPCOM without sucess.

Look it:

<script language="javascript"> 
<!– // 
function clear_autentificacion() { 
try{ 
if (document.all) { 
// IE clears HTTP Authentication 
document.execCommand("ClearAuthenticationCache"); 
} else { 
netscape.security.PrivilegeManager. 
enablePrivilege("UniversalXPConnect"); 
authenticationManager = Components.classes["@mozilla.org/network/http-auth-manager;1"].getService(Components.interfaces.nsIHttpAuthManager); 
authenticationManager.clearAll(); 
}} catch(e) { 
} 
} 
</script> 

I think that using this script, I could clear authentication cache of FF, but It didn't work...

By now, I'm clearing cache of FF using this code on mysite.com:

<script language="javascript" type="text/javascript"> 
<!-- 

function LimpaAuth() { 
try { 
if (document.all) { 
// Limpa autenticacao do IE 
document.execCommand("ClearAuthenticationCache"); 
window.location = "about:home"; 
} else { 
window.location = "http://logout:logout@mysite.com"; 
window.home(); 
} 
} catch(e) { 
// Em caso de erro exibe mensagem ao usuário 
alert("It was not possible to clear your credentials from browser cache. Please, close your browser window to ensure that you are completely logout of system."); 
self.close(); 
} 
} 

// --> 
</script> 

It's ridiculous to use the syntax user:pass@site.com to clear authentication cache but it's the only thing that is working to clear the FF cache programmatically.

We need a clean way to do this right now!!!
Comment 13 Daniel Veditz [:dveditz] 2006-06-11 19:22:21 PDT
Hixie, is this something WHAT-WG should spec?

Darin, do we have an iface that will clear a single site's authentication? (I seem to remember we don't.)
Comment 14 Ilanio Castro 2006-06-11 20:06:35 PDT
Please note that I need solutions that "belongs" to browser by default.

Various users will not agree to install extensions to perform clean-up of cache.
Comment 15 Hixie (not reading bugmail) 2006-06-12 13:43:48 PDT
What is there to spec? Surely this should just be a menu item?

There have been suggestions that you should be able to submit a form to HTTP auth, but it's not clear how that would work.
Comment 16 Darin Fisher 2006-06-12 14:40:03 PDT
Hixie: See comment #12.  I believe the bug is about providing a Javascript-based API to clear the auth cache.

Dveditz: Right, there isn't an API provided for this.  We'd want to extend nsIHttpAuthManager to provide one.
Comment 17 Ilanio Castro 2006-06-12 15:46:29 PDT
What we need is a method in JavaScript to clean the cache. Not a menu item! (This already exists).

We need a way to clean the cache programmatically (using JavaScript).

Note that I try to use nsIHttpAuthManager in the script below without sucess:

<script language="javascript"> 
<!– // 
function clear_auth() { 
try{ 
if (document.all) { 
// IE clears HTTP Authentication 
document.execCommand("ClearAuthenticationCache"); 
} else { 
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect"); 
authenticationManager = Components.classes["@mozilla.org/network/http-auth-manager;1"].getService(Components.interfaces.nsIHttpAuthManager); 
authenticationManager.clearAll(); 
}} catch(e) { 
} 
} 
</script>

I know for this script run in FF I need to changed the "signed.applets.codebase_principal_support" parameter to "true". I did it, but without success to clean FF http cache.
Comment 18 Christian :Biesinger (don't email me, ping me on IRC) 2006-06-12 16:07:58 PDT
anything in the js console?
Comment 19 Ilanio Castro 2006-06-13 08:16:11 PDT
(In reply to comment #18)
> anything in the js console?

No. It runs with any errors but doesn't clear the cache.

I run it on logout page. It gives me a security warning about the script. I click on "Allow" button, to allow script to run, and it runs without errors, but, when I return to site, I access it without user/pass dialog box.

Another problem is the security alert because some users can be scared with it.
Comment 20 Ilanio Castro 2006-06-16 20:16:46 PDT
I found another script to clear the cache of FF.

It uses a xmlhttp object to access the site with non-existent credentials, clearing the cache.

Look it:

<script language="javascript" type="text/javascript">

try{
  var agt=navigator.userAgent.toLowerCase();
  if (agt.indexOf("msie") != -1) {
    // IE clear HTTP Authentication
    document.execCommand("ClearAuthenticationCache");
  }
  else {
    // Let's create an xmlhttp object
    var xmlhttp = createXMLObject();
    // Let's get the force page to logout for mozilla
    xmlhttp.open("GET",".force_logout_offer_login_mozilla",true,"logout","logout");
    // Let's send the request to the server
    xmlhttp.send("");
    // Let's abort the request
    xmlhttp.abort();
  }
  // Let's redirect the user to the main webpage
  window.location = "/rest/";
} catch(e) {
// There was an error
alert("there was an error");
}

function createXMLObject() {
    try {
        if (window.XMLHttpRequest) {
            xmlhttp = new XMLHttpRequest();
        }
        // code for IE
        else if (window.ActiveXObject) {
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
    } catch (e) {
        xmlhttp=false
    }
    return xmlhttp;
}
</script>

It is a **** way to clean the cache, but it is a solution, since FF does not have another way to allow web developers to programmatically clean its cache.

You can test this script in action at the author's site (http://nanodocumet.homedns.org/rest/)
Comment 21 Asa Dotzler [:asa] 2007-02-27 18:45:41 PST
I've heard of one case where this is blocking institutional roll-out of Firefox. The situation is shared machines accessing an intranet and credentials being exposed to others. It's especially bad on Mac where closing the last browser window (but not exiting the app) doesn't clear the credentials like it does on Windows. Offering the intranet app a mechanism to clear credentials via JS would give Firefox parity with IE and make it easier for some institutions to switch to Firefox. 
Comment 22 Mike Connor [:mconnor] 2007-03-27 10:51:33 PDT
Moving to core, this is a Necko issue.
Comment 23 Scott Thomas 2007-10-20 12:21:39 PDT
More than two years since this has opened and this is single handedly preventing me as a intranet web programmer from implementing NTLM Authentication.  I can *not* rely on users to close their browser.  This lack of functionality makes NTLM authentication a big security risk.
Comment 24 Jan Eri 2008-01-12 16:28:00 PST
I was able to get the solution mentioned by Ilanio above to work when I delayed the xmlhttp.abort(); a bit, like this:

setTimeout("xmlhttp.abort();", 100);

But I still really miss this functionality in Firefox - the easiest solution in a Windows community is to use IE.
Comment 25 Ryan Cannon 2008-01-30 12:33:08 PST
With increased use of OpenID and scripts such as phpMyId[1], which use HTTP Digest Authentication, the user risk involved in this issue is significantly increased. Once a user authenticates with such a script, a password is not required for *any* OpenID-enabled Web site to which the user has an account.

Perhaps this is the fault of the script, but Firefox should supply some kind of mechanism for sites to clear the AUTH cache.

[1]: http://siege.org/projects/phpMyID/
Comment 26 Mike Connor [:mconnor] 2008-02-16 17:30:28 PST
We need some sort of spec for a sane way to log out a specific HTTP auth.  The IE solution is terrible, one app shouldn't be able to log a user out of every http auth app they're using, especially without interaction.  That type of model makes sense for a single window, single tab scenario (i.e. 1999) but in a "I have 137 tabs open" world its harmful to users.
Comment 27 Ondra Zizka 2008-04-04 02:44:46 PDT
Calling the code

   document.execCommand('ClearAuthenticationCache',true);

in Firefox 2.0.0.13 throws me an exception:

uncaught exception: [Exception... "Not enough arguments"  nsresult: "0x80570001 (NS_ERROR_XPC_NOT_ENOUGH_ARGS)"  location: "JS frame :: http://...:81/ :: onclick :: line 1"  data: no]
Comment 28 Matt Andruff 2008-08-25 17:22:20 PDT
This bug has some good(and very long) discussion on how to implment this via content.
https://bugzilla.mozilla.org/show_bug.cgi?id=55181 

This post mentions how this is suggested by w3c
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c10

My favorite suggestion for implementing this is a link for a specific domain and realm:
about:logout?protocol=http&domain=www.zope.org+realm=Zope

logout of all domain-realms:
about:logout?protocol=http&domain=www.zope.org+realm=*

logout of all domains:
about:logout?protocol=http&domain=*

originally suggested 
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c22
and refined
https://bugzilla.mozilla.org/show_bug.cgi?id=55181#c36
Comment 29 Robert O'Callahan (:roc) (email my personal email if necessary) 2008-09-15 01:52:27 PDT
Loading a magic URL isn't the ideal API to use from script.

I'd suggest a simple API on the 'navigator' object, say, 'dropAuthentication', taking no parameters. It would just drop whatever authentication was used to load the current document.
Comment 30 Aquila 2009-02-21 05:55:10 PST
I can't believe it, periodically I face always the same problem. I think the first time that I have discovered that IE was able to clear the authentication cache and FF wasn't, was in 2006. Now is about 4 YEARS that the users are asking for a way to clear the authentication cache and still there is any solution.
I can imagine that the IE way is "so horrible", but at least they offer a solution. Is it "so horrible" to offer the same method as IE? At least meanwhile you guys think to the best way to do it (how many years do you still need?) we have at least something usable.
Comment 31 dan_500 2009-11-01 13:36:20 PST
I think it's very easy to write a patch which implements the ClearAuthenticationCache function of Internet Explorer using nsIHttpAuthManager, but I can't write the patch for you cause I'm not a C programer.
Comment 32 alta88 2010-02-19 18:07:03 PST
it's not even possible from chrome js to remove a single entry.  certainly no content should clearAll and no chrome would want to.  just a matter of exposing:

http://mxr.mozilla.org/mozilla1.9.2/source/netwerk/protocol/http/src/nsHttpAuthCache.h#243
Comment 33 mackyle 2010-09-09 11:20:24 PDT
See also WebKit bug <https://bugs.webkit.org/show_bug.cgi?id=44823>.
Comment 34 AnthonyV 2011-12-13 13:54:00 PST
Same comment as many others.  Please find some way to add the ability to clear the authentication.

At the very least you could support document.execCommand('ClearAuthenticationCache') but only clear the authentication cache for the current domain.

A better option would be something like: window.ClearAuthenticationCache();

Being able to Log Off from a site is such a basic option that this should really be a no-brainer.   Even if you ask the user before clearing the credentials then that would still be a huge improvement over doing nothing.

Thank you.
Comment 35 Peter Borissow 2012-06-22 07:07:08 PDT
(In reply to Ilanio Castro from comment #20)
> I found another script to clear the cache of FF.
> 
> It uses a xmlhttp object to access the site with non-existent credentials,
> clearing the cache.
> 

Unfortunately, Firefox is now caching credentials so this technique no longer seems to work. See ticket #654348

https://bugzilla.mozilla.org/show_bug.cgi?id=654348
Comment 36 B.Kaatz 2013-04-23 09:41:03 PDT
Bump.
Comment 37 David Balažic 2014-09-03 05:51:55 PDT
So, how are users supposed to log out?
Should we (webmasters) just instruct them to use IE, which has this feature?
Are really 10 years needed to move forward on this issue?

Also don't forget about SSL client certificates, that have the same issue: they can "log in", but can never leave, as the song goes...
Comment 38 daniel.siwiec 2015-12-08 14:44:38 PST
Bump
Comment 39 Patrick McManus [:mcmanus] PTO until Sep 6 2016-01-26 13:43:37 PST
maybe the dom team can give some ideas.. http doesn't have a semantic
Comment 40 Kristian Kraljic 2016-03-10 12:11:37 PST
Bump. Still very much needed! Thanks.
Comment 41 Dave Kok 2016-03-11 02:11:59 PST
I once proposed Session Management as an alternative to a logout or clear function on WhatWG mailing list. Perhaps this could still be useful.

In short:
- The website starts a session with window.sessionStart().
- With this the user-agent creates a new session context. The current session context becomes its parent.
- The new session context is only valid for the current window. Just like sessionStorage. A possible exception could be opening new windows with the window.open function.
- Any new http-auth tokens (either through XHR or UA-screen), sessionStorage data or session cookies will belong to the new session context and not its parent.
- Any lookup for http-auth tokens, sessionStorage or session cookies done by the UA will not only look in the current session but will also traverse it parents. Script will be totally unaware of this.
- When the website calls window.sessionEnd() the current session is destroyed with all http-auth tokens, sessionStorage data and session cookies that belong to it. And the parent session becomes the current session again.
- Alternatively if the user closes the current window or navigates to another domain, the session also ends. In my origal proposal the is optional, specified by script as a boolean to the window.sessionStart function, defaulting to true.

Script can now also set a timeout, ending a session after a period on inactivety and replace the current page with a message and offer the user to login again.

This seems to me like a doable enough interface. That solves more than just the one issue of not being able to logout. Adding just two functions sessionStart/sessionEnd. Is totally backwards compatible as long as sessionStart/sessionEnd are never used. Do not impact anything beyond it's own window. Allows the user to have multiple sessions. Single sign on behavior could also be implemented this way. When a script calls sessionStart a UA can prefill the new session with http-auth tokens from some store. Now the UA no longer needs to ask for credentials and script will be blissfully unaware.

I hope the idea helps.
Comment 42 Kristian Kraljic 2016-08-22 02:14:32 PDT
Thanks Dave, great contribution. As said, still... this is very much needed and requested by our customers.

Note You need to log in before you can comment on or make changes to this bug.