Description of problem: clicking link logout should actually logout Version-Release number of selected component (if applicable): beaker-devel Version - 0.13.1 How reproducible: always. Steps to Reproduce: 1. click link logout. 2. click link login 3. Actual results: you will see, the former account login automatically, actually when clicking logout it is not logout, we should clear cookies and close the browser, then it works. Expected results: it should logout without clearing cookies and closing browser. Additional info:
This is a limitation of the way browsers handle Kerberos - once the browser has loaded the user's Kerberos ticket, it will supply it automatically in response to any later requests for authentication from Beaker.
maybe it is not very important, but this 'logout' is really confused many times, and other project which also uses Kerberos ticket has no 'logout' on the web, like TCMS, so I'd like to change this bug to one RFE for just recording.
Logging out does have an effect (it deletes the existing authentication token) even when Beaker is configured to use Kerberos authentication, and the "Logout" link does have that desired effect. So there is really no bug here. It is beneficial to still show the logout link under some circumstances (for one thing, to test the web UI behaviour without an authenticated session) so I don't think we should conditionally hide it. Reading between the lines in comment 0 it seems like the request is actually to be able to click Login and then *not* have the browser automatically authenticate using your Kerberos ticket, but rather prompt for credentials (presumably for testing under other accounts or such). But the entire point of Kerberos ticket authentication is that there is no authentication prompt. If you want an authentication prompt, the right answer is to either disable Kerberos negotiation in the browser, or just kdestroy so that there is no valid Kerberos ticket. There is no way for the Logout link in Beaker to somehow trigger kdestroy, nor would it even make sense or be desirable to do that.
Steps to reproduce, on a Beaker instance configured to use Kerberos: 1. kinit 2. In a new browser session, open Beaker: you are not authenticated, the menu shows "Log in" 3. Click "Log in": browser authenticates you without prompting using your Kerberos ticket 4. kdestroy 5. Click around in Beaker: you will see that you are still authenticated due to the authentication token stored in a cookie 6. Click "Log out": authentication token is cleared, now you are logged out 7. Click "Log in" again: prompted for authentication because there is no Kerberos ticket Step 6 in this process illustrates that the Logout link does actually do something useful.