Authentication in WebDev Module

UPDATE: This is resolved in Ignition versions 7.9.5 and higher. Make sure you also have the latest version of the WebDev module itself.

I am working on a simple JSON api to return some tag data. I have easily been able to implement the ‘Require Authentication’ checkbox. I am facing two issues. They both revolve around the fact that the user appears to get one shot entering their credentials.

If the user enters the credentials correctly, I can’t seem to find a way for them to log out and destroy the session dictionary related to the user. I have tried setting session[‘user’] to none, and also removing the ‘user’ key from the session dictionary. I also tried using system.security.logout(). Neither of these worked.

Additionally, if the credentials are entered incorrectly, the user does not get another chance to enter the credentials. They are forced to quit their browser and reopen it to try again.

Is there a way to destroy this session[‘user’] object and prompt the user to enter their login info again without forcing them to quit and reopen their browser?

Update 8/1/17 : I have also tried resetting the session equal to an empty dict session = {}. This doesn’t seem to work. I came across a couple articles suggesting to send wrong credentials as a workaround, but this doesn’t seem to work either. Any help would be much appreciated.

I think this is a bug in the WebDev module. It seems we’re returning a 403 when we should be returning 401. Clearing the session on the server has no effect on the browser, which after seeing a 403 does not need to ask for credentials again.

Basically, I just need some way for the session to be cleared and the HTTP basic login box to pop back up without closing the browser.

Can you think of anything else I can do to get around this?

Even changing it to a 401, with or without invalidating the session, doesn’t seem to work…

I have no idea how to convince the browser to forget the credentials.

I think this is a pretty standard feature for the WebDev module to have. Can we work toward a resolution?

We figured out that it needs to be a 401 response that includes a WWW-Authenticate header. It will be fixed in an upcoming release.

Thank you Kevin! If you could update the thread when you know what version this will be included in, that would be great.

Can you provide a rough timeline for when this will be fixed/released? We need to make a decision in the next few days if we will roll our own authentication or use the build in web-dev auth. Please let me know as soon as possible.

It’s scheduled for 7.9.5. I don’t know how long that will be - 7.9.4 is only in release candidate phase right now.

Thank you again Kevin!

Hello!

Is there something new about authentication?

Thanx in Advance!

This fix/change will be in 7.9.5.

Now that 7.9.4 is released, is there a timeframe for version 7.9.5. This is a very critical feature for us.

7.9.5 should be released sometime next week unless testing turns up some issues.

Awesome! Thanks for the quick response Kevin.

7.9.5 was released, and we have updated. However, i am still getting this issue. I have a script in webdev with just a hello world and have checked require authentication.

I am still getting a 403 response when I enter bad credentials and am not prompted again to re-enter them. I am stuck quitting my browser, then reopening to get the HTTP Basic login form to show up again.

What I really need, is to be prompted again if the login information is invalid. Additionally, if I am authenticated I would hope that sending a garbage username and password to the url will function as a log out of sorts and would expect this to send a 401 response for bad authentication.

Please let me know if there is something I am missing.

Just to double check… you updated the WebDev module too? THe Ignition installer does not contain the WebDev module upgrade.

I did not, let me give that a try!

Were you able to confirm this is resolved? I am still on 7.9.4 and definitely have the same issue, so I’ll be happy if an update fixes this.