LinkBack URL
About LinkBacksUm, why doesn't the logout in cpanel actually log you out?
No Logout???
Um, why doesn't the logout in cpanel actually log you out?
It, uhh, does. What problems are you having?
After logging out, I can go straight back in to CPanel without having to supply a password. Logout takes me to a page that says that I've logged out, but doesn't actually affect ability to access functionality. This is something of a security issue...
After you go back, press F5
Yes, closing the browser works, but that has nothing to do with logging out. Other services have no trouble providing real logout - this forum being an obvious example, along with my old ISP's webmail, hotmail, etc.
F5 doesn't have any obvious effect.
Then it's your browser, not cPanel.
[quote:8ff46ff91a][i:8ff46ff91a]Originally posted by felice[/i:8ff46ff91a]
Yes, closing the browser works, but that has nothing to do with logging out. Other services have no trouble providing real logout - this forum being an obvious example, along with my old ISP's webmail, hotmail, etc.[/quote:8ff46ff91a]
This forum authenticates via cookies, cpanel does via HTTP basic authentication. There's no reliable way that a logout can be provided for such system, since there's nothing in the protocol to delete auth info from a browser's cache. If you want to logout, close all instances of your browser. If that doesn't solve the problem, then your browser is not secure.
Is there a reason that CPanel doesn't use cookies (or preferably server-side authentication)? There shouldn't be a log out option if logging out isn't possible.
I can logout aswell as a lot of other people. cPanel DOES use cookies.
Cpanel does not use cookies. I have cookies off and can log in fine. It is basic .htaccess http authentication.
There is only one simple and fool proof method for logging out. Close your browser.
This is true of the RaQ4i control panel also. Http authentication is probably the most secure form of authentication you can have. It is far more secure than cookies that could be stolen from you system.
Marty Hoskins
TLC Web Enterprises
[quote:f876ddf9ae][i:f876ddf9ae]Originally posted by felice[/i:f876ddf9ae]
Is there a reason that CPanel doesn't use cookies
[/quote:f876ddf9ae]
Actually cpanel sets a cookie (cprelogin='no') before logging in. I guess it can never change to 'yes' if you're rejecting cookies.
[quote:f876ddf9ae](or preferably server-side authentication)?[/quote:f876ddf9ae]
Authentication takes place on the server, which is obviously better than having to depend on the user supporting cookies. But since auth data must be sent on every page request, browsers usually cache that information so users don't have to type it all the time. But that happens inside the browser, it doesn't have anything to do with the HTTP protocol - CPanel cannot delete that info.
[quote:f876ddf9ae]There shouldn't be a log out option if logging out isn't possible.[/quote:f876ddf9ae]
I agree. I would say more: There shouldn't be a log out option because logging out isn't possible (unless you close your browser, or whatever you have to do with your browser to delete auth info).
[quote:5e2d5f1713]Authentication takes place on the server, which is obviously better than having to depend on the user supporting cookies. But since auth data must be sent on every page request, browsers usually cache that information so users don't have to type it all the time. But that happens inside the browser, it doesn't have anything to do with the HTTP protocol - CPanel cannot delete that info.
[/quote:5e2d5f1713]
Cookies or HTTP Authentication aren't the only options. WebHub from href.com handles security nicely... a session id is passed in the url, and any cookie-type information is stored on the server. Logging out deletes the session, so old urls are no longer valid.
&Both Netscape Navigator and Internet Explorer will clear the local browser window's authentication cache for the realm upon receiving a server response of 401. This can effectively 'log out' a user, forcing them to re-enter their username and password. Some people use this to 'time out' logins, or provide a 'log-out' button.&
Can we use this?
You can also resolve this (as we did) but putting pragma-nocache headers in your cpanel theme (to keep the main index.html from being cached)....
In the HEAD section:
&META HTTP-EQUIV=&PRAGMA& CONTENT=&NO-CACHE&&
then link to &/logout& as has been discussed. When client his back, page won't be cached and will get re-prompted for login (at least this is how it works on our end
Reply With Quote