Chris McDonough <chrism@zope.com> wrote:
When a user logs in you want to clear the SESSION object related to his browser. The simplest way to do this is to use a cookie-based user folder and cause the session to be cleared as a result of the user submitting a login form (read the Sessions chapter and look for "invalidate" to see how to clear the session).
The stock Zope user folder uses basic HTTP authentication and is therefore not suitable for this purpose. This is an unfortunate limitation of basic authentication. Basic HTTP authentication is not suitable because there is no way to "hook" a login (the programmer never gets the chance to "do something" when a user logs in).
You maybe could store the userid in the session, and for each page invalidate the session if the userid has changed.
OTOH, cookie-based user folders are suitable for this purpose because typically you will have the chance to display a custom login form and process its results yourself. During this processing, on successful login, invalidate the session object, and you'll have solved your problem.
Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:fg@nuxeo.com