Hello Thanks for the answer, but I am afraid I still need some more help here.. At 15:46 14/10/99 +0200, Martijn Pieters answered my questions, and wrote:

You could switch to cookie based authentication. UserDB, a User Folder that authenticates against a backend RDBMS, supports cookies, and so does the User Folder that is used at zope.org. Cookies you can expire, and that browser with the 'remember password' can be told to forget about a certain HTML password input box (which it normally could aslo remember for you).

1. I confess cookies are now a major <neglected> topic on my learning curve_horizon, thanks to the above advice. But please where can I see any examples (for example) of how zope.org does it. Or anyone else... Are you all zipping along with nice cookie user logon strategies, or do you all quit and restart.. what's the story here? 2. It really seems to me what I am asking should be one of the default [non-advanced] developer modes for Zope. When you demo to clients or prospective clients, IMHO it is _really_ important not to have 'quit' application[browsers especially], wait re-load, explain (like they care!)etc... But, it's not just the demo, it's really the ongoing use of the thing; where one has effectively no control over how people will use their browsers. 3. Specifically when you say RBMDS backend - does this include the integrated Zope database - or am going to have to kludge-on an external solution? 4. OK hopefully I'll come back in a few days much smarter about zope.cookies and having found a lovely way around this. But what do you think about a basic default means to switch quickly between: a.> developer_manager-savvy behavior (current) and b.> demo_client_real-world behavior where a timeout or change of focus immediately requires login? All done using default Zope features as available through the V2.x download. Am I describing a Zope product here which is still too trivial and/or low on people priorities? Or is this simply some clever DTML/python available now? 5. In general I am no doubt among many who are champing at the documentation bit. It's great to see what speed docs _are_being developed. I know what I want, and to hand out to others, is lovely handy edition of 'Zope In A Nutshell'. [$15-$25, O'Reilly]. To sit on the shelf next to : Python, Learning Python, and Python Win32(Dec'99). and of course a slender sister companion 'Zope - pocket reference' ... "O'Reilly's 'Zope in a Nutshell' [ZIAN] has that blessed combination of long lucid intro-overview chapters, copious clear tables, rich appendices, and many many short examples embedded throughout the text, and some design overview techniques drawn from real-world case studies" Till then I comb through, print-out and read everything I can get my hands on. but it It is embedding of small but crucial examples which really makes the difference. IMHO, this is what the 'The Zope Quick Reference Document' needs to make it truly useful. And yes I know how much work it is, and like someone else suggested, I too would be willing to pay towards helping getting it done. Thanks for shining any more light - Jason Cunliffe [snip] [My question was:] [snip]

...

I am concerned about how to prevent access to management screens when someone does not fully quit the web browser after a management session. Either I have missed something so basic about zope permissions, or it has missed my application.context.

It seems that if I log-on as zope site manager/developer/contentprovider, and do some priviledged site work, but then walk away from the browser [ even though I have left it on another URL entirely], then the next person can step up to the machine, click 'back', use 'history', or type in www.mysite.com:8080/somefolder/manage - and bingo slide back into my shoes with those powers!

...oops! ouch.. Tell me I am wrong please. If this is true what does anyone recommend? [snip] Is there some nice code {Javascipt/Zope} you can think of to check the fact once the browser focus has moved onto another page or something, then I am obliged to re-enter user:password information?

Ditto what can I do when a user of the browser has selected the 'remember password' item? Is there a clean way to zope around this?

------------------------------------------------- Jason Cunliffe <jasonic@nomadicsltd.com> NOMADICS.STUDIO(Design Director) Geo-Digital Arts and Technology Le Vieux Moulin, Route de Mons 83440 SEILLANS, FRANCE Tel: +33 (0)4 94.76.98.72 Fax: +33 (0)4 94.76.97.77 <jasonic@nomadicsltd.com>