Sin Hang Kin wrote:
I just apply an test account from imeme.net.
I suddently realize that There is no logout operation available.
That's ok, you're never 'logged in'. HTTP is stateless. There is no state, you are not logged in or logged out, you login and logout everytime you make a request. This is the nature of HTTP. HTTP Basic authentication is simple, you make a request, and the server says 'Unauthorized'. So the browser asks you the user for a username and password. Now you make a reqeust and hand the server your credentials, a this point it say 'Ok' or 'Unauthorized'. If it says 'Ok', then your _broswer_ caches your credentials and gives them to the server _for every request you make_. The server never maintains a list of who is 'logged in'. HTTP Basic auth esentially does not let you logout. You have two choices, 1) quite your browser, or 2) <dtml-raise Unauthorized></dtml-raise>. The second one, raising Unauthorized, will cause your browser to prompt your for login credentials. To logout, hit 'cancel'. Keep in mind that none of this has anything to do with Zope, but rather HTTP Basic authentication. They call it 'Basic' for a reason, it's simple and not flexible and the HTTP designers probably expected much more sophisticated techniques to be developed in its place. Several much more secure and intelligent techniques have been developed, but the authors of browser software don't give a damn or want to foist proprietary protocols on the user. -Michel