Forum OpenACS Development: Logout on browser close, missing important feature!

Request notifications

Why in the world does OpenACS not support logout on browser close.

This is a very important feature for some users and currently no combination of parameters will allow this.

I have a simple fix that could be added with a parameter.

In sec_handler add

if {[catch [ad_get_signed_cookie_with_expr ad_user_login]} {
sec_login_handler
}

This means you have to have a ad_user_login cookie.

Also we need to take out the default value for sec_login_timeout in security-init.tcl to allow empty string as an option so we get a brower session cookie.

In addition I think I will rewrite the parameter help text so someone who has NOT read security-procs.tcl could change them and have any clue how the site would behave.

Collapse
Posted by Dave Bauer on
No new parameers required.

If login timeout is empty string require a login cookie. Do not give someone a new login cookie with a valid session cookie.

if {[sec_login_timeout eq "" && [catch [ad_get_signed_cookie_with_expr ad_user_login]} {
sec_login_handler
}

Collapse
Posted by Torben Brosten on
Great! so this is getting added to cvs head?
Collapse
Posted by Dave Bauer on
Torben,

That's the idea. I just wanted to get some feedback first in case I missed something.

Collapse
Posted by Torben Brosten on
The only thing that comes to mind is that there may need to be a parameter to decide what happens for this logout case under the context of the user checking "Remember my login on this computer" during login.
Collapse
Posted by Dave Bauer on
Torben,

Thanks. I will also test that case and report back.

AFAIR OpenACS has always supported "logout on browser close". If the site does not allow persistent logins, then closing the browser will effectively log you out, no? I have not tested that feature in years but I recall it working that way.

Or do you mean something different, like a setting that individual users can change to control if/when they get logged out?

Collapse
Posted by Dave Bauer on
Andrew,

Nope. Persistent login does not behave that way because 1) the login cookie timout parameter has a default value. You can not set it to an empty string to create a session cookie.
So you always have a 1 day persistent cookie unless you set it to a different value. If your login times out AND your session times out, you do have to login again, but it is unrelated to the browser.

2) Due to changes made ages ago, even if the ad_user_login cookie could be a session cookie, if you have an ad_session_id cookie, it will refresh your session if it is within the session timeout even if you don't have a login cookie.

So there are two changes. 1) allow the logintimeout parmeter to have an empty string value. 2) Allow the session handler to deal with a missing login cookie appropriately, if login timeout is an empty string.

I think this patch does that :)

Of course Firfox makes this all more interesting, becuase if you have a tab open with your openacs site and you either have the Open my tabs option selected or firefox askes you if you want to save the open tabs on close, it will ALSO save you session cookies and keep them around, so you won't be logged out, even with a session cookie. So not only do you need to change the code, but users will need to understand how this works in Firefox. To combat this I also have a reasonbly short session timeout of 1 hour. Less than that and users might be annoyed.

Collapse
Posted by Dave Bauer on
Any feedback? Maybe i'll put this in a TIP.
Please do!
Collapse
Posted by Iuri Sampaio on
I do have a feedback.

The feature is very useful!
I believe you already thought about that but in any case i suggest here...
it would be great to have this functionality working with a parameter placed in the kernel parameters section to turn it on-off.

Do you agree?

Collapse
Posted by Dave Bauer on
Yes, the parameters are all already there, we just have to use them correctly.
The following patches from March this year (in cvs head) made session cookies true session cookies (they are deleted on a browser close) and they avoid session hijacking

http://fisheye.openacs.org/changelog/OpenACS/openacs-4/packages/acs-tcl/tcl?cs=MAIN%3Agustafn%3A20100315001053
http://fisheye.openacs.org/changelog/OpenACS/openacs-4/packages/acs-tcl/tcl?cs=MAIN%3Agustafn%3A20100315000900

Collapse
Posted by Dave Bauer on
Thanks Gustaf, this looks good!

I was not familiar with the Discard option that looks like it does the trick.

Does it discard the ad_session_id cookie if persistent login is not checked or allowed? This is the one that was causing a problem since it renewed the session even if your login cookie had expired.