NOTE: This is a HistoricalDocument topic. It used to be distributed in an earlier TWiki release, but is no longer part of the official TWiki distribution. Post questions, error notes, and suggestions concerning the documentation of this topic in the comments section below! Use the Support web for problems you are having using TWiki.

FAQ:

How do you log off? Suppose I log in with the guest username but later I want to use another username, how do I log off from the guest user name?

Answer:

To log off from a TWiki site, you must exit your browser and reconnect to the site. When asked, enter the new username and password.

Why is this?

Many TWiki sites use HTTP Basic Authentication, which pops up a window asking for username and password. Once entered, the browser remembers them, and supplies them as part of subsequent references to the site.

HTTP is a stateless protocol. The web server remembers nothing about a user between individual access -- and it can take several accesses to load a single page. The web browser must remember the state of each transaction. You are never really "logged into" a web site -- you have given the browser the codes to unlock each request. Only if the browser does not have credentials to present to a site will it ask for them.

Most browsers do not give the user a way to "forget" the username and password. To log in as a different user, you must exit the browser (perhaps all instances of the browser), and reconnect to the TWiki site.

If you have the Mozilla or Firefox browser installed, the Web Developers toolbar extension has a function which allows HTTP Authentication details to be reset, without the need to close your browser.

To use this function, download the extension for Firefox or Mozilla and restart your browser (if necessary). On the Web Developers toolbar, click Miscellaneous, then Clear HTTP Authentication. Now if the page is reloaded, you will need to "login" again.

Back to: TWikiFAQ

-- Contributors: TWiki:Main.CarlMikkelsen, TWiki:Main.DanielNitsche

Comments & Questions about this Historical Document Topic

A few hints (things I discovered that I was not expecting and that didn;t seem to be in the Installation docs)

• you MUST edit the bin/.htaccess file appropriately; it must point at the correct path to the .htpasswd file in the data dir
• you MUST rename bin/.htaccess.txt to bin/.htaccess for Apache to use it

Even after you do these things, access is only controlled for certain types of activities (e.g. edit not view) and in certan areas (e.g. if you have set the ALLOWTOPICCHANGE setting to restrict who can make changes.

Unless you have done everything necessary to support access control AND you request a particular kind of access that IS controlled, you will never see the "login" dialog at all, no matter how often you quit your browser session!

-- VickiBrown - 03 Jun 2003

This is to be expected. TWiki is designed as a collaboration tool that above all is usable by the general public as a simple website. If TWiki required login by default just to see a webpage, it would defeat TWiki's very purpose.

-- JonathanBenn - 06 Dec 2003

It would help matters greatly, however, if there were TwikiLogin and TwikiLogout topics by default. The TwikiLogin topic by default could just have the Site Map, with a comment that if you didn't have to login to get their, then User Authentication is not setup correctly. The TwikiLogout topic would mention the deficiency that the authentication is browser based.

IMHO, Twiki really should manage authentication itself. Even in a public collaboration, you want people's identifications to be valid, and access restrictions are mandatory in a lot of real world collaborations.

-- AlanBatie - 15 Jan 2004

I think most up-to-date browsers support authentication in the url. So the simplest way to logout is to insert "username@" in front of the url (e.g. http://newuser@twiki.org/cgi-bin/edit/TWiki/HowToLogOff) You will get a new login window to enter username and password again. To logout simple cancel the new login. You don't need to close all browser instances.

-- MarkusKolb - 15 Sep 2004

Markus, URL-authentication isn't a good choice for the masses, not least because the most common browser in the world (IE) does no longer allow http://username:password@URL URLs because of a security hole.

-- TorbenGB - 16 Sep 2004

If you are using FireFox then you could install the Web Developers Plugin. It has an option to "Clear HTTP Authentication". It works for me.

-- KenMankoff - 22 Oct 2004

I felt the Web Developers toolbar mentioned prevously by TorbenGB desserved a mention in the actual FAQ.

-- DanielNitsche - 08 Nov 2004

True. Its a great tool. However, its hardly good for end users. Like do end users want to know about CSS, etc? There is a lot of dangerous stuff there for the unaware. IMO we need to pursue ditching HTTP authentication - discussion on SessionPluginDev

-- MartinCleaver - 09 Nov 2004

Any application where the FAQ even needs an entry 'HowToLogOff' is quite badly broken if you ask me. TWiki should implement it's own authentication scheme. Most sites do. It's a shame, because TWiki is very cool in many other respects.

-- StefanMagdalinski - 22 Nov 2004

What does the Web Developers Toolbar in Firefox do? Could that somehow be incorporated in a "logoff" button on the menu? Could TWiki pass a crytographically signed token as a cookie follwing a "logon" and have "logoff" remove the cookie?

-- AntonAylward - 24 Nov 2004

No. It clears the HTTP Basic authentication - this is different from cookies, its the mechanism that sets REMOTE_USER. Very few sites user Basic Authentication: in my view we should isolate to a plugin so we can relegate it to those places that actually like need (WN) the low cookie-free TWikiSystemRequirements.

-- MartinCleaver - 24 Nov 2004

Just a note for all those who use Firefox/Mozilla and don't want to install the Webdeveloper Plugins. There's a new very simple extension, that only clears the http authentication cache. Can be downloaded here

-- UlrichVoss - 11 Jan 2005

I've quit out of Safari several times to no avail. I'm never presented with a authentication box. It seems to know who I am, since the correct signature shows up in the edit pages, but USERNAME, WIKIUSERNAME, and WIKINAME all show up as guest in the TWikiVariables form. What am I doing wrong?

-- MeredithLesly - 09 Feb 2005

Meredith that is a strange combination you describe. You should ask about this in Support.WebHome or maybe even a Codev.BugReport

-- MattWilkie - 09 Feb 2005

Not going to figure out where this fits in the big picture, but I thought I'd at least add something helpful: see ViewRegPatch for a quick patch that allows users to register with twiki without logging in as twiki guest.

-- DanielHagerty - 08 Mar 2005