The user is not fully logged out after a failed login attempt

[antoneliasson]

Mozilla's recommends in it's implementors guide for Persona that you call navigator.id.logout() in the Javascript if the assertion fails to verify. This can be easily checked in a jQuery request like in the demo in their quick setup guide.

In commit c33d228 as part of issue #8, the Ajax call was replaced by a form submission which as far as I understand makes this type of checking difficult. Could you explain why this was done because I do not fully understand the motivation in issue #8?

In it's current state, if the assertion failed to verify for any reason, pyramid_persona will show the login view with a HTTP 400 header to the user. However, Persona now believes that the user should be logged in and so if the user revisits a forbidden view (or, presumably, any page with a login button), it will attempt an automatic login which will fail again. Until the user manually removes some cookies from login.persona.org, the entire web app might be unusable.

[madjar]

The form submission was initially done to allow the application write to easily change the login view and redirect the user wherever they wanted. I've just rewritten that part to have the same feature with an Ajax call, so that I can now call navigator.id.logout() in case of failure. This should fix the problem.

I'll make a release for this in a few days if there are no further problems with this.