-----Original Message----- From: Anthony Baxter [mailto:anthony@interlink.com.au] Sent: Wednesday, March 03, 1999 3:21 AM To: Martijn Pieters Cc: zope@zope.org Subject: Re: [Zope] AUTHENTICATED_USER, and what you can do with it.
What you could do, is write your own UserFolder/User combo, that stores a last-access time on the User object, and checks for this every time a user is authenticated. If the difference is greater than, say 15 minutes, you force a reauthentication by raising a permission denied.
I tried playing with this once upon a time, but I found that the stupid browser still cached the original result and would continue to use it after the failed login/relogin combination. Most frustrating.
Cookies or passing around secret messages would be the way to avoid this, don't use Basic authentication at all. The UserDB product shows off a User Folder than uses cookies, and possibly today I am releasing a User Folder product that authenticates off of a flat file, like /etc/passwd for alpha testing which also uses either Basic or Cookie auth. If you use Cookie auth you are presented with a login/logout screen to set/clear the cookie. -Michel
Anthony
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope