#54 new

Logout-action fails when logged in through basic http authentication.

Reported by Emuen | June 12th, 2009 @ 12:11 PM


I have a stage-server that is password protected via basic http authentication. The password and username for the .htaccess-protection is the same as for the restful-authentication. I'm not sure if the problem arises from the passwords and usernames are the same, or that the restful-authentication simply doesn't logout the user when logged in through basic http authentication.

Comments and changes to this ticket

  • dondarone

    dondarone August 2nd, 2009 @ 09:10 AM

    • Assigned user cleared.

    I can confirm this issue.

    Using request_http_basic_authentication as default response by overwriting access_denied, I can not logout anymore. After reverting that change, it works again.

    This was in a test environment on mongrel without any .htaccess authentication.

  • Satya

    Satya August 31st, 2010 @ 09:13 AM

    • Assigned user set to “mrflip”

    We too have the same problem

  • Satya

    Satya August 31st, 2010 @ 09:48 AM

    One way to fix this is to disable "basic http authentication" completely

    But we needed this for good user experience during Ajax actions, so we enabled this authentication only for ajax actions

    def login_from_basic_auth
      **return false unless request.xhr?**
      authenticate_with_http_basic do |login, password|
        self.current_user = User.authenticate(login, password)

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.


People watching this ticket