Source: davical Version: 1.1.1-1 Severity: wishlist Tags: upstream
Hi. As a small cosmetic enhancement I would suggest that you don't display the logout button at all, when actually non-session/cookie login is used to get into the admin pages. Typically this means that HTTP Basic Auth was used to have the session/cookie generated (without entering passwords in a HTML form). Why? For HTTP Basic Auth, there is no standardised and browser-portable way to log out,... so even after clicking the logout button,... the browser thinks he has to transmit the credentials. So as soon as one then clicks the login buton... one will immediately and automatically get logged in again and get a even new session cookie. Ergo... the login button makes no sense in that case. There are some non-portable/standardised ways to logout of HTTP basic authz, see e.g.: http://stackoverflow.com/questions/233507/how-to-log-out-user-from-web-site-using-basic-authentication http://stackoverflow.com/questions/449788/http-authentication-logout-via-php but I'd strongly recommend against them... not only for idealistic reasons... but also for practical: People may actually use something different than HTTP Basic auth... e.g. SSL client certificate authentication... which just fakes the HTTP Basic auth... so one would again fall back to the logged-in state. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
