redirect logout to external html page
|
ASNet0007
Joined: 2006-10-17
Posts: 151 |
Posted: Wed, 2008-06-04 10:58
|
|
I would like to redirect all users that click on the logout button to my entrance page which is just a simple html page located in my root folder. I am on Gallery 2.2.4 Cheers |
|
| Login or register to post comments |
Posts: 16313
modules/core/Logout.inc
find
$results['redirect']['view'] = GALLERY_DEFAULT_VIEW;change to
$results['redirect']['url'] = 'http://YourURL.com/page.html';Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 151
hi
For some reason this has not worked, it returns me to the gallery login page.
I have deleted the template cache.
I am using the Xtreme theme so later I'll have a look at this just in case it uses its own logoff code.
Posts: 16313
ooops:
$results['redirect']['href'] = 'http://YourURL.com/page.html';Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 151
cheers
Posts: 14
This works fine, until I use Web Server Authentication. Then gallery, as before, keeps returning with the login-page.
Subsequently the HTTPAuth login dialog will pop-up. Closing this one will then result in Error 401.
I am running Gallery version 2.3 core 1.3.0 with PHP version 4.3.11 apache2handler and Web Apache Webserver
Database = mysqlt 4.1.20, lock.system=flock
Operatingsystem = Linux 2.6.18-53.1.13.2.cc #1 SMP Wed Feb 27 18:26:42 EST 2008 i686
Standaard theme = carbon
Browser = Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)
I want to run gallery with Web Server Authentication (Basic).
This I got working with Authentification Directives in .htaccess. I also modified BreadCrumb.tpl to display a HOME-link in front of the breadcrumbs. This way I always can return to the external html calling page which is outside the HTTPauth realm.
But with this method the user gallery-session is not logged out from.
What I need is: Log-out from Gallery and return to the initial html calling page, so without returning to any Gallery page.
Ben
Posts: 16313
Just guessing here as I don't have a clue about server Authentication or much about rerwites in .htaccess
$results['redirect']['href'] = 'http://YourURL.com/page.html';to$results['redirect']['href'] = $_SERVER['HTTP_REFERER'];Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 14
Dave,
Thanks for your reply but it does not work. I did some testing and it does not make any difference whatever you put at that line.
So one or more of the three (!isset$result['options']) is false. Either 'return', 'delegate' or 'redirect'. Not sure how to find out which and how to proceed. What does $ret represent? Any place where I can find more info or flowscheme of the logout process?
When I put the line $results['redirect']['href'] = 'http://MyURL.eu/index.html'; after the next } and just before: return array(null,$results); I will be redirected but it seems that my session is not stopped.
Ben
Posts: 16313
Sorry no clue about sessions and if they get cleared or deleted or when
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 3369
The session is cleared in the logout controller (modules/core/logout.inc), lines 58 and 59:
Then the user is reset to the 'guest' id at 73:
$ret is used for the return codes from various functions in the Gallery2 API. It contains null if the call was successful, and various non-null elements if there was a fatal error, and the Gallery "an error occured" page should be shown to the user. Each time $ret is checked and found to be non-null execution is immediately passed all the way back up the call chain until it reaches back to main.php from where the error page can be arranged.
Posts: 14
I did some reading and according to comments of 'nivekiam'in http://gallery.menalto.com/node/87987 it is not possible to clear the the web browser's cache HTTP auth credentials.
But in http://codex.gallery2.org/Gallery2:Modules:httpauth it is explained how in a Gallery work-around the TryLogout page tries clearing the browser's authentication cache by as many tricks possible. And this works!!
Gallery logs out, but subsequently wants to open the Gallery login page (or any page not requiring Gallery authentication). Access to the Gallery directory however is still restricted through the server's HTTPauth. And because one of the Gallery tricks to clear the browser cache was successful the browser will popup the HTTP login box asking for credentials. This is a catch 22 situation from which I want to escape.
Once logged-out from Gallery, which includes clearing browser cache, I want to exit Gallery altogether and open a(ny) page in my website which is not restricted by server HTTP authentication.
Let it be clear, I am not using Apache HTTPAuth because I feel Gallery needs additional protection. Its own password protection system is perfect. But in my website I have a section restricted to family and friends only and they have to log-in to authenticate themselves.
To avoid that they have to log in again to get access to Gallery I use the Gallery HTTPauth module which listens for HTTP credentials passed on in the URL. But to get these credentials in the URL, I have to trigger Apache HTTPauth of the server to provide them. I did set this up by restricting access to the Gallery directory with Apache HTTPauth (Basic or Digest). For logging in this is fine, but logging out is still a problem.
Is there maybe a way to keep the Gallery directory outside the HTTPauth restriction alltogether, while the link calling Gallery, one way or the other, triggers the server's HTTPauth to authenticate a user and pass the required credentials to Gallery?
Ben
Posts: 3369
OK, here's some more technical info for you that might explain what's going on.
the regular core.Logout controller posts a Gallery::Logout event (Logout.inc line 46), that's picked up by the event handler registered by the httpauth module. The event handler code is in httpauth's module.inc, starting line 342. What the event handler does is simply return this as the event result code:
array('delegate' => array('view' => 'httpauth.TryLogout'))which is used back in the regular logout controller as it's regular exit value ($results['delegate']) so on exiting (after the userId is reset to guest and the session is cleared) control goes back to the httpauth module, this time running the httpauth.TryLogout view which is what tries the "tricks" to get the browser to dump its cached credentials. So far so good.
If you use floridave's trick above about setting a ['redirect']['href'] value in Logout.inc that gets used in preference to the ['delegate'] value (set by httpauth) - you get sent to the right exit page, but you haven't run the httpauth box of tricks to clear the browser credentials.
Let me see if I can make a suggestion for where you *can* get the exit page set, and *still* run the httpauth tricks.
Posts: 3369
Lordy, this is complicated.
I think the place where you need to set your final exit url is in httpauth's FinishLogout.inc.
What this code does is check if (when you get there) you're the anonymous user (good sign, your credentials were wiped and you're not logged in any more) and then send you thus:
$url = $urlGenerator->generateUrl(array('view' => GALLERY_DEFAULT_VIEW), array('forceFullUrl' => true)); return array(null, array('redirectUrl' => HttpAuthHelper::stripHttpAuthFromUrl($url)));On the other hand, if you *are*, after all the tricks, still logged in, it sends you to a page saying "couldn't log you out after all, you'll have to close your browser".
So if you change the call to the urlGenerator (FinishLogout.inc, line 46) to
$url = "http://where.I.want/to/go/to.next";(and bin the call to stripHttpAuthFromUrl I think) then that might even work for you!
Anyone who doesn't successfully log out will still get the page advising them to close their browser, which is probably what you want.
Posts: 14
Tested above suggestions (with and without binning the call to stripHttpAuthFromUrl), but no luck. No exit page and also no message having to close browser. I also put some bogus in:
if ($isAnonymous) {bogus}
This does not make any difference, no reaction at all. It appears that this section is not called for or not executed because $isAnonymous is false.
I am still trying to grasp the process (I not a coder at all, just a stubborn hobbyist).
To me there seem to be two processes executed in following order:
1. Clear the browser cache using all 'tricks' with TryLogout and FinshLogout.
2. Logout Gallery user session.
I verified several times that both are completed succesful, with and without all suggested changes. But this is not followed by exit from Gallery.
The 'exit page' should be called for somewhere at the end of the Gallery logout just before closing the log-out view.
AlecMyers, thank you very much for your efforts and time, hopefully a solution can be reached. I wonder how others got past this HTTPauth hump.
Ben
Posts: 3369
Well if there was no reaction at all, I'm tempted to say you're editing the wrong file, because
{bogus}is a php syntax error and will throw a parse error and give you a white page (or an error message if debugging is enabled) as soon as the file is loaded, and before execution of any of Gallery begins.Posts: 14
I am editing /var/www/html/gallery/modules/httpauth/FinishLogout.inc and I have literally put: if ($isAnonymous) {bogus}
Cleared template cache, restarted browser, opened Gallery.
No error messages and also the debug details seem normal. No syntax error reported.
<?php
/*
* Gallery - a web based photo album viewer and editor
* Copyright (C) 2000-2008 Bharat Mediratta
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at
* your option) any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
*/
GalleryCoreApi::requireOnce('modules/httpauth/classes/HttpAuthHelper.class');
/**
* Check that logout was successful and warn the user to close the browser window if not.
* @package HttpAuth
* @subpackage UserInterface
* @author Jack Bates <ms419@freezone.co.uk>
* @version $Revision: 17580 $
*/
class FinishLogoutView extends GalleryView {
/**
* @see GalleryView::loadTemplate
*/
function loadTemplate(&$template, &$form) {
global $gallery;
$urlGenerator =& $gallery->getUrlGenerator();
list ($ret, $isAnonymous) = GalleryCoreApi::isAnonymousUser();
if ($ret) {
return array($ret, null);
}
if ($isAnonymous) {
bogus
}
return array(null, array('body' => 'modules/httpauth/templates/FinishLogout.tpl'));
}
}
?>
Posts: 3369
Then the FinishLogoutView is never being executed. Which explains why your redirect there isn't working.
Go back to the TryLogout controller and introduce 'errors' like {bogus} around line 45. See what gets put into the $TryLogout array (should be two urls, that are the ones that get passed to the TryLogout template. Try getting that template up on screen (with javascript disabled) and see if you get the "if you're not redirected in 10 seconds click here..." link - and see where that link takes you.
Posts: 14
Whoops, that's all a bit fast for me.
You mean I should edit /gallery/modules/httpauth/TryLogout.inc?
How do I get to see the content of gets?
At this end its bedtime, I will be back tomorrow
Posts: 3369
What I'm suggesting you do next isn't very sophisticated. I reckon execution ought to go through the FinishLogoutView, and what you said earlier suggests it isn't. So I'm say step back a stage, and see if it's getting to the part which (I think) should be sending it there, that is, the TryLogout Controller.
You could just stick some "print 'here I am, in TryLogout Controller-land!';" statements and see what shows up.
Posts: 16313
Sessions and cookies never fill me up.
Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
Posts: 14
This speeds up my intentions to start studying PHP.
I understand what you are saying and I wil do some testing, will need some (suitable) time though. Will be back when I run into something of interest.
Don't wait for me in case you got the solution, help others out off their HTTPauth mistery
Ben
Posts: 14
Did some tracking with "echo" statements. All indeed goes fine all the way to the bottom of Logout.inc where control is returned to the httpauth module, which in turn runs the httpauth.TryLogout view. Starting at line 45 the array $TryLogout is filled with two Url's to the FinishLogout view which are prefetched with random (invalid) user and password combinations. This in an attempt to replace the authentication cache with an invalid username and password.
Example:
Key: scriptUrl Value: http://_LOGOUT_0123456789:9876543210@testserver/gallery/mainphp?g2_view=httpauth.FinishLogout
Key: hrefUrl Value: http://_LOGOUT_1234567890:0987654321@testserver/gallery/mainphp?g2_view=httpauth.FinishLogout
In my case it's at this poit that things go different than hoped for, I don't get (anonymous) access to the FinishLogout view. As the (Apache) server receives an invalid authentication it returns a header 'HTTP/1.0 401 Unauthorised'. This in turn will trigger the client browser to pop up the Username/Password input window.
This is the situation I end up when logging out off Gallery. When I would enter a valid authentication at this point, the script falls in a loop, continuously popping up the input window. But when I cancel or close the pop up window I get the 'Error 401 Unauthorised' page. The good thing is that at this point both the Gallery session and the HTTP cache are cleared.
We need a HTTP Authentication hook in PHP which intercepts this 'HTTP/1.0 401 Unauthorised' call of the server, being the result of the false login attempt, and make a redirect (exit) to the external HTML page.
Posts: 3369
What you say makes no sense to me, I'm afraid, or indicates a misconfiguration on your site.
Apache doesn't know or care if the authentication it recieves at that point is valid or invalid; there's no mechanism in Apache to check usernames (unless you've mistakenly configured one outside G2). The only place that should return a 401 for a G2 page is modules/httpauth/classes/HttpAuthHelper.class line 329.
Make sure that your gallery directory is not protected by anything in .htaccess or virtual host configuration that requires authentication.
Posts: 14
Well that explains a lot!
The only way I managed to get some kind of HTTP Basic Authentication working was by protecting the gallery directory in .htaccess as stated in my first entry in this thread on Tue, 2009-11-03 17:07. I have been barking up the wrong tree.
I used the information in http://codex.gallery2.org/Gallery2:Modules:httpauth, but this document is not clear at all.
I did set up the URL Rewrite module with a succesful test and and activated the HTTP Auth rule.
Then I set up the HTTP Auth module and in the settings I ticked to handle HTTP Basic authentication directly and to use the authentication plugins for all modules.
My gallery is set up to allow access only to registered users so when calling Gallery the gallery login page (View=core.UserLogin) opens.
With the HTTPauth module I was expecting that this login page would no longer appear but instead the HTTP Username/password input window.
This did not work however. After a lot of forum searches and trials I managed to get the HTTP login working by protection configured in .htaccess which at that time seemed logical. It appears I am not the only one thinking this to be the correct way to set up: http://gallery.menalto.com/node/72498, http://gallery.menalto.com/node/64871, http://gallery.menalto.com/node/66560. Maybe a more step by step HTTPauth instruction set would be beneficial here.
It is now easyly explained why the logout did not work!!
So I removed the directives in .htaccess and will have to do serious troubleshooting again to get httpauth working.
All recent entries since 2009-11-03 have no longer any relation to the original subject of this thread, so maybe they should be (re)moved.
Thank you all for time and effort spend. I might be back in another thread when I can't get Gallery HTTPauth operational
Ben
Posts: 3369
Actually it doesn't look the httpauth module does what you want, anyway: http://gallery.menalto.com/node/66560#comment-241709
Posts: 14
Got things ticking with some information from http://php.net/manual/en/features.http-auth.php and in particular the contribution http://www.php.net/manual/en/features.http-auth.php#73386
Pasted the following lines in the top of /gallery/index.php:
In the $valid_passwords array of course should be a user and password which exist in the gallery.
Calling Gallery now with index.php will popup the HTTP login window. After entering the correct credentials the log-in to Gallery will be successful via the httpauth module. Logging out will also complete succesful with both the session and the browser cache cleared.
Tried also with the above lines in main.php. This also successfully logs in, but the logging out fails.
Still a lot of puzzling left to integrate things with the existing AuthFiles but the opening is found.
Posts: 3369
What happens if you amend the code to just check for the existence of *some* username/password, rather than having to hard-code all G2 usernames into a php file - and leave the pass/fail to G2?
Posts: 14
The hardcoding was used for testing the triggering of HTTP authentication.
The following will leave the pass/fail to gallery.
However in case of a failure to pass gallery authentication, gallery will open it's own Login view. When now logging in correctly in this view gallery will open, but the HTTP realm will not be corrected and still contain the inititial wrong credentials.
My preference is to have HTTP Basic Authentication validating the credentials making use of the AuthUserFile as suggested in http://www.php.net/manual/en/features.http-auth.php#38517. I will post the complete code when I get something working.
In the meantime I ran into another problem when testing the Gallery httpauth logout on different browsers. Things work fine with Firefox.
However using IE, things crash when TryLogout.tpl tries to open the view httpauth.FinishLogout with the Url's provided in $TryLogout. Starting at line 45 in TryLogout.inc this array $TryLogout is filled with two Url's prefetched with random (invalid) user and password combinations.
Example: http://_LOGOUT_0123456789:9876543210@testserver/gallery/mainphp?g2_view=httpauth.FinishLogout
However IE banned this URL syntax with credential prefetch for security reasons and I suspect that also the errors I get with Opera and Chrome stem form the same source.
Any sugestions for a work-around (potentially in HttpAuthHelper::_buildUrl)? Or maybe follow a whole new course using example http://www.php.net/manual/en/features.http-auth.php#93859