[Zope] Revoking authentication (or: logging out)?

Alexander Staubo alex@mop.no
Thu, 17 Jun 1999 03:24:11 +0200 

Cookies or URL embedding are two possible solutions. Cookies store store
login state and expiry information, your pages validate this information
and emits a 401 if incorrect. This is to augment, not replace, Zope's
security system, although most likely you'll be forced to do your own
HTTP authentication (which iirc means writing your own UserFolder
descendant wrapped in a Zope Product).

URL embedding is just a variation that embeds the information in URLs
rather than inside cookies (you should obfuscate or hexbin the
information to avoid problems); this is typically more relevant on
public sites where some users might not have cookies enabled, or is
running a non-cookie-enabled browser. Otoh, the downside is you have to
put this stuff in every single secure URL.

I hear Chris Petrilli is the resident security dude at DC. Perhaps he
can shed more light on this subject; I just drained the bulk of my
knowledge on this topic. :-)

Imho a solution to this problem should be built into Zope, since it's so
common.

--
Alexander Staubo             http://www.mop.no/~alex/
"`Ford, you're turning into a penguin. Stop it.'"
--Douglas Adams, _The Hitchhiker's Guide to the Galaxy_

>-----Original Message-----
>From: corbet@eklektix.com [mailto:corbet@eklektix.com]
>Sent: 17. juni 1999 02:41
>To: zope@zope.org
>Subject: [Zope] Revoking authentication (or: logging out)?
>
>
>I'm working on a system to make medical records available via a web
>interface.  It needs to make different levels of access available to
>different sorts of people (doctors, nurses, clerical staff) - a perfect
>match for Zope's roles.
>
>But I've encountered one rub: the web browser will be running on PC's
>sitting in various spots in the clinic's offices: the doctor's
>office, work
>areas, even examination rooms.  There will be a different
>person sitting
>down at it every few minutes.  But, with "Basic"
>authentication, once the
>web browser has your username/password in its clutches, it
>never lets go.
>
>We're dealing with medical records here, so it is a poor idea
>to leave a
>"logged in" browser sitting around in a public place.  What I
>am looking
>for is a way to put in a "log out" option that stops short of
>killing and
>restarting the browser.  Has anybody else figured out a way to do this?
>
>Thanks,
>
>jon
>
>Jonathan Corbet, Eklektix, Inc.
>corbet@eklektix.com
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://www.zope.org/mailman/listinfo/zope
>
>(For developer-specific issues, use the companion list,
>zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
>