James, Thanks for the explanation. I am going to change my logout to do a redirect
Jeff -------------- Original message -------------- From: "James Bennett" <[EMAIL PROTECTED]> > > On 4/11/07, jeffhg58 wrote: > > The only problem I am having is when I log out and either hit the back > > button or go to my home > > page from the browser it does not give me the login prompt window. > > This is kind of tricky and exposes a pseudo-bug in Django. > > What's happening is this: > > 1. At the time the request starts, you're logged in, and so the > AuthenticationMiddleware sets 'request.user' so that it returns your > User object, which in turn returns True on an 'is_authenticated()' > check. > 2. At the time that you hit the 'login_required' decorator, you > haven't yet hit the view code which logs you out, so you pass that > check and don't get redirected to a login form. > 3. When the 'logout' view logs you out, it doesn't reset > 'request.user', so any template rendering which uses an > 'is_authenticated()' check will get confused (this is the bug). > 4. When the response comes back to your browser, it includes cookie > headers which make the logout persist. > > So if you use the 'logout' view and return a template directly from > it, the template may "think" you're logged in even though you're not > (you can't actually do anything which requires authentication, it's > just that 'request.user' wasn't updated before the template rendered). > If you instead have 'logout' redirect to another URL, you'll see > everything working intuitively, because that involves a new request > which starts out with 'request.user' as an AnonymousUser. > > Hitting the back button probably causes the behavior you're seeing > because some browsers don't actually hit the server on a "back" and > instead reload the page from cache, which means you'll see the same > thing you saw when you were logged in previously. > > The confusing aspects of this can be handled by having Django reset > 'request.user' on authentication changes (it also doesn't do so on > login, which can be somewhat counterintuitive when using things like > the registered comments model), so I'll file a ticket for that. > > -- > "Bureaucrat Conrad, you are technically correct -- the best kind of correct." > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
