Logging out a user (in code)
Ok, small question - I thought I saw the answer somewhere, but as luck would have it...I can't find it. I have a method that can only be viewed by a user who is logged in. But let's say that I want to put a button in a form, so that when they press it, it logs them out. I figure I'll submit the form to another method, or do some marshalling - it doesn't matter, but what I need to find out is how to log the user out with code.(kill their session, whatever) And I guess I can add another request while I'm thinking of it. Is there (I'm sure there is) to determine if a user is logged in? Something like: if user is logged in do this else do this I'll keep searching, but I appreciate anyone who has a spare second to help me out with this. Thanks in advance, Tommy Johnson Innovation: The Best Way To Predict The Future ... Is To Create It.
Tommy Johnson writes:
.... but what I need to find out is how to log the user out with code.(kill their session, whatever) This depends whether you use "Basic Authentication" or "Cookie based Authentication".
In the former case, you can look how the Zope "logout" (--> ZMI) works. It logs out, but it may well confuse your users. Unfortunately, it is probably the best you can get with Basic Authentication. With cookie based authentication, you simply kill the cookie.
And I guess I can add another request while I'm thinking of it. Is there (I'm sure there is) to determine if a user is logged in? Something like: You check "AUTHENTICATED_USER.getUserName()" against "Anonymous User".
Dieter
On Sun, Jul 08, 2001 at 11:50:42PM +0200, Dieter Maurer wrote: [...]
With cookie based authentication, you simply kill the cookie. [...]
Really? Just think, what happens if the user manually copies it's cookie and stores it back on the browser? You have to tell the server to forget, that this cookie is authorized ... ? (I'm not sure on that ... ) -- Christian Theune - ct@gocept.com gocept gmbh & co.kg - schalaunische strasse 6 - 06366 koethen/anhalt tel.+49 3496 3099112 - fax.+49 3496 3099118 mob. - 0178 48 33 981 reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b')))
Christian Theune <ct@gocept.com> wrote:
On Sun, Jul 08, 2001 at 11:50:42PM +0200, Dieter Maurer wrote:
With cookie based authentication, you simply kill the cookie. [...]
Really? Just think, what happens if the user manually copies it's cookie and stores it back on the browser?
You have to tell the server to forget, that this cookie is authorized ... ?
(I'm not sure on that ... )
A beter way would be to track the cookie's value on the server; then you can kill the cookie both on the client and prevent its re-usage from the server side. An example would be to store the cookies, key, the value of the cookie along with a timeout on the serverside. So long as you have a valid request, you update the timeoutvalue on the serverside. When the user logs out you set the timeout to "now". the next time the user tries to do something the server detects that the cookie is invalid (based on the timeout) and takes appropiate action (i.e. redirecting to login screen). Hope this helps. /dario
Christian Theune writes:
On Sun, Jul 08, 2001 at 11:50:42PM +0200, Dieter Maurer wrote: [...]
With cookie based authentication, you simply kill the cookie. [...]
Really? Just think, what happens if the user manually copies it's cookie and stores it back on the browser?
You have to tell the server to forget, that this cookie is authorized ... ? Yes, if you want to be sure... And your cookie is some hash value and not a direct encoding of user name and password.
Dieter
participants (4)
-
Christian Theune -
Dario Lopez-Kästen -
Dieter Maurer -
Tommy Johnson