Daniel.Weber@SEMATECH.Org wrote:
As far as authorization goes, I've noticed that I get prompted for a user-name/password only once during a session. After you've been validated, it appears zope does not prompt you again for that browser session.
Actually Zope does prompt your client on every single request (that requires authorization), it must, because HTTP is stateless. Zope also validates every single request. This is a 'feature' of the HTTP Basic Authentication spec that says browsers can cache auth information. It is however often a lack that browsers do not let you manually clear this cache.
The reason I'm concerned is that if I have to do maintenance on someone else's web browser, how do I ensure that after I leave a person cannot use the back button or history list to gain manager access to the site? Do I have to exit the browser when I'm done?
Yes. Or force the client to discard it's cached auth info with a <dtml-raise Unauthorized></dtml-raise>. -Michel