[Zope] Prompting for login, logging out?

Sam Gendler sgendler@impossible.com
Wed, 12 Jan 2000 14:41:01 -0800


Art Hampton wrote:
> 
> Sam Gendler wrote:
> > Logging a user out is simple.  The normal acl_users folder uses basic user
> > authentication.  The form of authentication causes a browser to send the
> > supplied username and password on every request made to that domain name.  The
> > browser will not stop sending this authentication header until the browser is
> > restarted or a page comes back unauthorized, in which case a new login dialog
> > box gets sent to the user.  Consequently, if you write a dtml method that sends
> > a 401 Not-Authorized message back to the user, the browser will present a new
> > login box to the user, and it will stop sending the old one.  Unfortunately,
> > there is no way to combine a redirection with a 401 message, so you cannot
> > invalidate their authentication and redirect them to an anonymously available
> > page at the same time.  Consequently, the best you will be able to do is to have
> > them click log out and be immediately faced with a new login box.  You can
> > provide a page that shows up when the user clicks cancel on the dialog box,
> > though.
> 
> Sam,
> 
> Not sure if I'm asking a Zope question or an HTTP question, so I haven't
> cc'ed zope@zope.org.  If it's a Zope question, feel free to cc them on
> your reply (if you're kind enough to reply :).
> 
> How do I provide a page that shows up when the user clicks cancel?
> 
> I'm probably going to be using the LDAPAdapter product, if that's any
> help.
> 
> Thanks for any help.

It is really an HTTP question, but I don't know how Zope addresses the
issue.

When the server sends the HTTP headers that tell the browser that the
user is not yet authorized (401 status code), it can still include a
body (an html document) after the headers, just like on a normal
request.  The browser displays that page when you click cancel.

From looking at the documentation at
http://www.zope.org/Documentation/Guides/DTML-HTML/DTML.5.4.html, I
would guess that if you serve a standard dtml document to the client,
but you call 
<dtml-call "RESPONSE.setStatus(401)"> from somewhere in the document,
you will get a login prompt, but when you hit cancel, you will see the
page.  If you are interested in other available status codes, check out
http://www.w3.org/Protocols/rfc2616/rfc2616.html, a document that every
web developer should have just about memorized, if you ask me.  Make
sure that any images referenced in the page are not in the authenticated
folder, or they will get multiple login prompts after hitting cancel.

You will have to ask the list if there is a way to do this automatically
during acl_users authentication.  You might have to resort to modifying
the Generic User Folder to do it.  I am CC'ing the list for comments.

--sam