[Twisted-web] Log out on guard login.

Mon Jan 31 18:22:48 MST 2005

On Tue, Feb 01, 2005 at 12:29:08AM +0000, Jonathan Lange wrote:
> Hello,
> 
> We recently had some problems with the ISession hanging around even after a new login. Also IE has had some weird behaviour: when you login in with one set of credentials, hit back, then log in again (with incorrect credentials), you are still logged in with your original (correct) credentials.
> 
> To work around this, we've monkey-patched guard to logout and expire the session on login.
> 
> Below is a patch that adds this change to nevow SVN.
> 
> Known problems: 
> - line 295 calls portal.login straight-up, and so this patch doesn't help with certain http auth cases.
> - I may be doing weird evil wrong stuff with context, mostly because I don't understand it.
> 
> cheers,
> jml
> 
> 
> Index: nevow/guard.py
> ===================================================================
> --- nevow/guard.py      (revision 1123)
> +++ nevow/guard.py      (working copy)
> @@ -362,6 +362,11 @@
>          return UsernamePassword(username, password)
> 
>      def login(self, request, session, credentials, segments, anonymous=False):
> +        session.portalLogout(self.portal)
> +        from twisted.python import context
> +        ctxSession = inevow.ISession(context, None)
> +        if ctxSession:
> +            ctxSession.expire()
>          mind = self.mindFactory(request, credentials)
>          session.mind = mind
>          return self.portal.login(credentials, mind, self.credInterface).addCallback(

With my usage I had apparently no problem regardless of the above, but I can
imagine some other app may have a problem. My only problem was the logout, that
didn't drop the privilegied stuff from the session. But a re-login without a
logout in between would overwrite everything privilegied so I cannot notice any
difference. Though the problem is very similar to the one I had on the logout
side and you also did a session expiry in nevow like I did originally.

I believe the login can refresh the session with the avatar code like I'm doing
for solving the logout problem too.

I can see the second below unsetComponent not raising the exception during a
re-login without a logout in between, which means it's making a difference
(even if it makes no difference for my site) and it should allow you to fixup
your code optimally without regenerating the cookie.

If you copy my below code and you adapt it to your app, you should be able to
cleanup your session during both the logout and the re-login procedures.

Probably there should be a dumb-mode that expires the sessions both during
login and logout. I don't mind anymore myself since I just learnt how to solve
it, but the below stuff may not be worth it for simple sites.

For how to setup the Mind see the logout_guard2 example. I guess the
logout_guard2 example should be updated too with the session cleanup during
login.

	def requestAvatar(self, avatar_id, mind, *interfaces):
		#print avatar_id, mind, interfaces
		for interface in interfaces:
			if interface is inevow.IResource:
				def logout(session):
					def _logout():
						# account
						try:
							session.unsetComponent(iweb.IAccount)
						except KeyError:
							pass

						# force a full session expiry
						#del session.guard.sessions[session.uid]
					return _logout

				if avatar_id is checkers.ANONYMOUS or avatar_id.shutdown:
					resc = guest.root_page_class()
					resc.realm = self
					return (inevow.IResource, resc, lambda : None)
				else:
					resc = account.root_page_class(avatar_id)
					resc.remember(avatar_id, iweb.IAccount)
					resc.realm = self
					session = mind.request.getSession()
					try:
						session.unsetComponent(iweb.IAccount)
					except KeyError:
						pass
					return (inevow.IResource, resc, logout(session))

		raise NotImplementedError("Can't support that interface.")