logout in example web app doesn't log out

kohesive / kovert

The invisible REST and web framework

MIT License

155 stars 10 forks source link

logout in example web app doesn't log out #36

Closed kenkyee closed 8 years ago

kenkyee commented 8 years ago

To reproduce:

start example kovert app
go to localhost:8080
click on login link
type in franky/123 for creds as prompted
click on logout link
click on login link again (it should prompt for a username/password at this point but doesn't)

apatrida commented 8 years ago

It doesn't logout because it uses basic auth, and basic auth does not have a logout. the browser remembers and sends the headers and so logging out a server-side session does nothing.

A more realistic auth handler (JDBC, OAUTH, JWT) would work fine.

kenkyee commented 8 years ago

There is a hack, but I agree using JWT or OAuth would be the right way to do it :-) http://tuhrig.de/basic-auth-log-out-with-javascript/