[Zope3-dev] logout patterns: a small proposal
Gary Poster
gary at zope.com
Thu Dec 8 11:15:00 EST 2005
On Dec 8, 2005, at 10:58 AM, Sidnei da Silva wrote:
> On Thu, Dec 08, 2005 at 10:11:46AM -0500, Gary Poster wrote:
> | ...
>
> Sounds good to me.
Cool.
> Only one issue that you should have in mind, and that has bitten me
> several times with the Zope 2 PluggableAuthService is the following:
>
> If you use the 'HTTPBasicAuthHelper' for login, that doesn't mean you
> can use it for logout. That is specially true if you happen to use the
> 'CookieAuthHelper', which translates cookie-based credentials to http
> basic.
>
> What happens is that it in PAS, if you call logout() it will call all
> the 'ICredentialsReset', however if the HTTPBasicHelper happens
> to be one of those, it will raise a 'Unauthorized' exception, because
> that's how you log someone out using http basic auth, and then two
> things happen:
>
> 1. The cookie credentials don't get erased because of the Unathorized
> 2. Any plugins that happened to be enabled for ICredentialsReset won't
> fire.
Thanks: that is interesting, and answers some idle questions I had
lying around in my head.
In the case of the Zope 3 pluggable auth, though, there are a number
of reasons why this (currently) doesn't come into play. A
particularly pertinent reason is that the default basic auth plug-in
doesn't do the 'raise Unauthorized' trick--it just rolls over and
plays dead (i.e., 'pass'). Logging out is effectively not available
if you are logged in via the standard basic auth. This is a case in
which you would not want to offer 'log out' in the UI (or you'd want
to work out some other compromise).
Gary
More information about the Zope3-dev
mailing list