Re: [Zope] keeping track of logged in users
Zope's default user folder uses HTTP basic authentication, not cookies. When a request comes in, the "authorization" header is taken from the request (it contains the username and password) and Zope does authorization based on roles from there on in.
- C
Thanks for the explanation, this answers the first question I asked. I re-post the other two questions. Regards, M.
----- Original Message ----- From: "Mario Bianchi" <kammamuri_mb@hotmail.com> To: <zope@zope.org> Sent: Tuesday, August 06, 2002 1:17 PM Subject: [Zope] keeping track of logged in users
Hi list,
....
Also, how does Zope keep track of the users currently logged in? What data structures does it use?
More, there seems to be no way of logging out (except if you're a manager: in this case you can use the logout button from the management interface): if you ask for a resource not publicly accessible, you're prompted to enter userid and password and from that moment on you're logged in, but how can you logout?
Regards, Mario.
_________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Am 07.08.2002, 11:23 Uhr schrub Mario Bianchi <kammamuri_mb@hotmail.com>:
Also, how does Zope keep track of the users currently logged in?
It doesn't. From the server perspective there is no such thing as "being logged in" in HTTP. The browser sends authorization information with each and every request once you entered the details and they are checked by the server for every request. The illusion of "being logged in" is just an effect of your browser remembering username and password and sending them again without further bothering you to re-enter them. Jo. -- Internetmanufaktur Jo Meder ---------------------- Berlin, Germany http://www.meder.de/ ------------------- fon: ++49-30-417 17 63 33 Kollwitzstr. 75 ------------------------ fax: ++49-30-417 17 63 45 10435 Berlin --------------------------- mob: ++49-170- 2 98 89 97 Public GnuPG-Key ---------- http://www.meder.de/keys/jo-pubkey.txt
On Wed, Aug 07, 2002 at 11:30:51AM +0200, Jo Meder wrote:
Also, how does Zope keep track of the users currently logged in?
The illusion of "being logged in" is just an effect of your browser remembering username and password and sending them again without further bothering you to re-enter them.
I was just about to say: Then what does the "logout" do in the ZMI? But then I thought "let's see what the logout option does in the zmi", so I viewed the source, then searched the zope /lib/python directory and in ZOPE_DIR/lib/python/App/Management.py, I found the definition of manage_zmi_logout. Basically, to log someone out, it sends an http error 401 in the response. Felix.
Am 07.08.2002, 11:49 Uhr schrub Felix Ulrich-Oltean <felix@chaptereight.com>:
Basically, to log someone out, it sends an http error 401 in the response.
Exactly. If your browser receives a 401 response it asumes that the username and password it remembered are incorrect and therefore asks for new credentials. But try the following: Using IExploder log in, log out and cancel the box asking for username and password. Now revisit the management screen by manually typing in the URL or selecting it from your bookmarks. Voila: seems like you never logged out. The only method to reliably "log out" that I know of is to shut down your browser completely. Jo. -- Internetmanufaktur Jo Meder ---------------------- Berlin, Germany http://www.meder.de/ ------------------- fon: ++49-30-417 17 63 33 Kollwitzstr. 75 ------------------------ fax: ++49-30-417 17 63 45 10435 Berlin --------------------------- mob: ++49-170- 2 98 89 97 Public GnuPG-Key ---------- http://www.meder.de/keys/jo-pubkey.txt
On Wednesday 07 August 2002 12:30, Jo Meder wrote:
Voila: seems like you never logged out. The only method to reliably "log out" that I know of is to shut down your browser completely.
There is *NO* way to log out completely with standard a12n. Only if you use cookie-based Login Manager, where you can make old valid cookie or so. Also cookie-less AFAIK, but I've never used it yet. -- Sincerely yours, Bogdan M. Maryniuck "Even more amazing was the realization that God has Internet access. I wonder if He has a full newsfeed?" (By Matt Welsh)
Bo M. Maryniuck wrote:
On Wednesday 07 August 2002 12:30, Jo Meder wrote:
Voila: seems like you never logged out. The only method to reliably "log out" that I know of is to shut down your browser completely.
There is *NO* way to log out completely with standard a12n.
Yeah there is. This happens when the browser stops sending authorisation headers. Now, 99% of browsers out there will stop sending authorization headers if they receive a 401 for those authorisation headers, so the ZMI way of logging out can be quite reliable.
Only if you use cookie-based Login Manager, where you can make old valid cookie or so. Also cookie-less AFAIK, but I've never used it yet.
huh? Sorry, that paragraph lost something in the translation :-S I'd personally use the CookieCrumbler product if I wanted to add cookie authentication to a site. I wonder if someone could come up with somethign similar that would stroe the session in the URL instead of in a cookie? cheers, Chris
participants (5)
-
Bo M. Maryniuck -
Chris Withers -
Felix Ulrich-Oltean -
Jo Meder -
Mario Bianchi