Revoking authentication (or: logging out)?
I'm working on a system to make medical records available via a web interface. It needs to make different levels of access available to different sorts of people (doctors, nurses, clerical staff) - a perfect match for Zope's roles. But I've encountered one rub: the web browser will be running on PC's sitting in various spots in the clinic's offices: the doctor's office, work areas, even examination rooms. There will be a different person sitting down at it every few minutes. But, with "Basic" authentication, once the web browser has your username/password in its clutches, it never lets go. We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this? Thanks, jon Jonathan Corbet, Eklektix, Inc. corbet@eklektix.com
Jonathan Corbet wrote:
We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this?
We have the same patient confidentiality issues to address in a similar domain. My solution is to create a session manager that forces a user timeout after a period of inactivity, typically 10-20 minutes. In this scenario, it is necessary to bypass basic authentication and roll your own. I'm still experimenting; it's not really mainstream Zope. A timeout solution isn't perfect, but it's an improvement. I'm open to other suggestions that don't require special security equipment. Best regards, Jeff Bauer Rubicon, Inc.
If you use the "unsupported" UserDB system, you can store the auth info in cookies, instead of basic auth. You can then do a 'logout' by calling acl_users/docLogout. (or even modify the UserDB code to add an expiry date to the cookie) Anthony
Jonathan Corbet wrote I'm working on a system to make medical records available via a web interface. It needs to make different levels of access available to different sorts of people (doctors, nurses, clerical staff) - a perfect match for Zope's roles.
But I've encountered one rub: the web browser will be running on PC's sitting in various spots in the clinic's offices: the doctor's office, work areas, even examination rooms. There will be a different person sitting down at it every few minutes. But, with "Basic" authentication, once the web browser has your username/password in its clutches, it never lets go.
We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this?
Thanks,
jon
Jonathan Corbet, Eklektix, Inc. corbet@eklektix.com
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
-- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
Anthony Baxter wrote
If you use the "unsupported" UserDB system, you can store the auth info in cookies, instead of basic auth. You can then do a 'logout' by calling acl_users/docLogout.
(or even modify the UserDB code to add an expiry date to the cookie)
oops, almost forgot - we're using this here, and I've had _some_ reports that IE won't properly expire the cookie. So make sure whatever you do, test test test. (If someone can give a definitive answer on this, that would be great - otherwise I'll dig into it over the next day or so). Anthony -- Anthony Baxter <anthony@interlink.com.au> It's never too late to have a happy childhood.
On Wed, 16 Jun 1999, you wrote:
I'm working on a system to make medical records available via a web interface. It needs to make different levels of access available to different sorts of people (doctors, nurses, clerical staff) - a perfect match for Zope's roles.
But I've encountered one rub: the web browser will be running on PC's sitting in various spots in the clinic's offices: the doctor's office, work areas, even examination rooms. There will be a different person sitting down at it every few minutes. But, with "Basic" authentication, once the web browser has your username/password in its clutches, it never lets go.
We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this?
You might try something like "http://nouser:nopassword@mysite.com/index.html". Clicking the link should try to authenticate with nouser:nopassword, and unless you really have a user 'nouser' whose password is 'nopassword' it should fail and pop up the authentication box.
Thanks,
jon
Jonathan Corbet, Eklektix, Inc. corbet@eklektix.com
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )
-- Howard Clinton Shaw III - Grum St. Thomas High School #include "disclaimer.h"
On Wed, 16 Jun 1999, you wrote:
I'm working on a system to make medical records available via a web interface. It needs to make different levels of access available to different sorts of people (doctors, nurses, clerical staff) - a perfect match for Zope's roles.
But I've encountered one rub: the web browser will be running on PC's sitting in various spots in the clinic's offices: the doctor's office, work areas, even examination rooms. There will be a different person sitting down at it every few minutes. But, with "Basic" authentication, once the web browser has your username/password in its clutches, it never lets go.
We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this?
Actually, to refine my previous suggestion: the link should probably go to an intro page directly, which page should include a redirect to a URL such as I described. This way, you don't have to worry about the previous info remaining on screen.
Thanks,
jon
Jonathan Corbet, Eklektix, Inc. corbet@eklektix.com
_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope
(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev ) -- Howard Clinton Shaw III - Grum St. Thomas High School #include "disclaimer.h"
participants (4)
-
Anthony Baxter -
Howard Clinton Shaw III -
Jeff Bauer -
Jonathan Corbet