For the moment, I'm using the standard acl_users folders that are built into Zope. I've got a page that generates information of interest to a given user. The Anonymous User is allowed to view the page. However, to view a customized version, the user must first log in. How do I force Zope to prompt the user for a login (preferably when they push a button)? The only thing I've come up with is creating an "Authenticated" role, assigning all users to that role, and then creating a "Login" document which the Anonymous role cannot view, but the Authenticated role can. Although it works, it seems like there should be a better (built into Zope) way. Is there? The disadvantage to my Authenticated role scheme is that we need to make sure that every user is assigned this role. Also, I'm still interested in that snippet of code that logs out the current user (I think it removes a cookie? I'm not sure). If someone could post that, I'd be grateful. Thanks in advance.
Also, I'm still interested in that snippet of code that logs out the current user (I think it removes a cookie? I'm not sure). If someone could post that, I'd be grateful.
Thanks in advance.
Logging a user out is simple. The normal acl_users folder uses basic user authentication. The form of authentication causes a browser to send the supplied username and password on every request made to that domain name. The browser will not stop sending this authentication header until the browser is restarted or a page comes back unauthorized, in which case a new login dialog box gets sent to the user. Consequently, if you write a dtml method that sends a 401 Not-Authorized message back to the user, the browser will present a new login box to the user, and it will stop sending the old one. Unfortunately, there is no way to combine a redirection with a 401 message, so you cannot invalidate their authentication and redirect them to an anonymously available page at the same time. Consequently, the best you will be able to do is to have them click log out and be immediately faced with a new login box. You can provide a page that shows up when the user clicks cancel on the dialog box, though. Don't despair, there is a way around it. If you use the Generic User Folder or the UserDb product, you can have a user authenticate with an html form instead of through http basic authentication. In this method, you have them submit a username and password in text boxes in a form field, and if their authentication checks out, you can set a cookie on their browser. All subsequent requests will be served with that cookie, until the cookie expires. You probably want to make the cookie expire in 15 or 30 minutes. Every subsequent request to the site should set the same cookie with a new expiration date, 15 or 30 minutes into the future. That way, if a user leaves the site for more than 15 or 30 minutes, their cookie expires and the next time they access the site, they will be redirected to the login page again. To log a user out with this mechanism, just have the logout method set the expiration on the cookie to be immediate, but make that page available to anonymous users. That way, they will see the logout page, but if they try to go to any other authenticated page, they will just get the login form again. Enjoy. --sam
participants (2)
-
Art Hampton -
Sam Gendler