News: This forum is now permanently frozen.
Pages: [1]
Topic: logout button  (Read 1402 times)
« on: January 07, 2013, 10:27:26 »
bigbrother *
Posts: 12


Why isnĀ“t there any logout button in the WebUI?
I think it would be good if there is a logout button to kill the session.
Otherwise I have to close all the opened taps including the browser window.

Is there no way to include such thing? Is this not a security issue?

« Last Edit: January 07, 2013, 10:29:13 by bigbrother »
« Reply #1 on: January 07, 2013, 14:19:00 »
Lennart Grahl ***
Posts: 153

I don't understand why you've opened another thread about this topic.

Anyway, I'm quoting my reply for your first question:
m0n0wall is using HTTP authentication and therefore a "logout" is not possible.

There is no session:
Existing browsers retain authentication information until the tab or browser is closed or the user clears the history. HTTP does not provide a method for a server to direct clients to discard these cached credentials. This means that there is no effective way for a server to "log out" the user without changing the realm periodically, directing the user to close the browser, or using sessions in the URL.

And I don't think you have to worry about it. Recently, Manuel removed all modifying GETs and introduced CSRF magic tokens to the webgui.
« Reply #2 on: January 08, 2013, 09:45:22 »
bigbrother *
Posts: 12

yep, sorry for the double entry   Embarrassed

Thank you for your detailed explanation.

best regards
Pages: [1]
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines