How do you make a TWiki logout page?

When many people successively use the same screen and are likely to use the same browser running without being closed down, it may be practical to be able to logout of TWiki.

Some hints: http://www.ssi-developer.net/htaccess/htaccess_logout.shtml

Method: recommend that the user tries to access an inaccessible file

As of version twiki_20030201-1_all.deb, what works is the following

an inaccessible file

• ls -l /usr/lib/cgi-bin/twiki/logoutfile
  • -rwxr-xr-x 1 root root 0 Sep 23 14:52 /usr/lib/cgi-bin/twiki/logoutfile
  • an empty local file, local access doesn't matter
• more /usr/lib/cgi-bin/twiki/.htaccess
  • ...
  • <Files "logoutfile">
  • require user logoutuser
  • </Files>
  • only one very special user is allowed to access the file
• more /var/lib/twiki/data/.htpasswd
  • ...
  • logoutuser:logoutpass
  • In principle, if anyone can decrypt the string "logoutpass" (in principle, as far as apache is concerned, this is the crypted version of some existing password), he/she could log in as user logoutuser . However, it's very unlikely that this could be done, and even it could be, it wouldn't matter.
• the directories for Debian are probably different to standard - you have to sort this out for your system

Explanation for the user

• info on ExampleLogoutPage, before accessing inaccesible file, so that the user understands what to do - with a link to the inaccessible file - it's probably important to have this wrapper page, since otherwise the user will not understand that clicking on cancel is what is expected.
• info on /var/lib/twiki/templates/oopsauth.tmpl ExampleLogoutOopsAuthTempl, this is seen after accessing the inaccessible file and clicking on cancel - someone can reach this page for different reasons, it's probably important that the user has this feedback

-- BoudRoukema - 10 Jan 2004

Is there any consolidation for a log out mechanism? I've seen some attempts (above, Sandbox.HowToLogin), there is some code in WebLeftBar. But nothing that can be finalized for Dakar. Do we need SessionPlugin? Or would it be possible without?

-- ArthurClemens - 13 Jul 2005

Logging out using the SessionPlugin is straight forward: logout clearing the AUTHUSER session variable. The latter is not allowed by the SessionPlugin API but can be achieved by accessing the session object directly from within some plugin:

$TWiki::Plugins::SessionPlugin::session->clear($TWiki::Plugins::SessionPlugin::authUserSessionVar);

Alternatively, one might consider logging in as guest as logging out effectively, albeit you are then in a state of being authenticated as guest. Urgs. What's the merit of distinguishing not authenticated from authenticated as guest anyway as both states should have the same effect on access control?

-- MichaelDaum - 13 Jul 2005

AuthPagePlugin is an extension to SessionPlugin - please see my comments about rolling it into DakarRelease.

-- MartinCleaver - 13 Jul 2005

AFAIK, there's no logout mechanism in the AuthPagePlugin.

-- MichaelDaum - 13 Jul 2005

Thanks. I think I meant ApplicationAuthenticationAddOn (just more weight to the argument that consolidation is needed).

-- MartinCleaver - 13 Jul 2005

Definitely. The SessionPlugin & AuthPagePlugin are sheduled to be included into the kernel (AddSessionPluginToKernel). But IMHO the AuthPagePlugin is not feature-complete.

-- MichaelDaum - 14 Jul 2005

GregAbbas is working on rolling SessionPlugin and AuthPagePlugin into the core. See AddSessionPluginToKernel for his latest work.

-- CrawfordCurrie - 14 Jul 2005

Session and auth page plugins are now part of the develop codebase. SVN 5904.

-- CrawfordCurrie - 24 Jul 2005