Cookies or URL embedding are two possible solutions. Cookies store store login state and expiry information, your pages validate this information and emits a 401 if incorrect. This is to augment, not replace, Zope's security system, although most likely you'll be forced to do your own HTTP authentication (which iirc means writing your own UserFolder descendant wrapped in a Zope Product). URL embedding is just a variation that embeds the information in URLs rather than inside cookies (you should obfuscate or hexbin the information to avoid problems); this is typically more relevant on public sites where some users might not have cookies enabled, or is running a non-cookie-enabled browser. Otoh, the downside is you have to put this stuff in every single secure URL. I hear Chris Petrilli is the resident security dude at DC. Perhaps he can shed more light on this subject; I just drained the bulk of my knowledge on this topic. :-) Imho a solution to this problem should be built into Zope, since it's so common. -- Alexander Staubo http://www.mop.no/~alex/ "`Ford, you're turning into a penguin. Stop it.'" --Douglas Adams, _The Hitchhiker's Guide to the Galaxy_

-----Original Message----- From: corbet@eklektix.com [mailto:corbet@eklektix.com] Sent: 17. juni 1999 02:41 To: zope@zope.org Subject: [Zope] Revoking authentication (or: logging out)?

I'm working on a system to make medical records available via a web interface. It needs to make different levels of access available to different sorts of people (doctors, nurses, clerical staff) - a perfect match for Zope's roles.

But I've encountered one rub: the web browser will be running on PC's sitting in various spots in the clinic's offices: the doctor's office, work areas, even examination rooms. There will be a different person sitting down at it every few minutes. But, with "Basic" authentication, once the web browser has your username/password in its clutches, it never lets go.

We're dealing with medical records here, so it is a poor idea to leave a "logged in" browser sitting around in a public place. What I am looking for is a way to put in a "log out" option that stops short of killing and restarting the browser. Has anybody else figured out a way to do this?

Thanks,

jon

Jonathan Corbet, Eklektix, Inc. corbet@eklektix.com

_______________________________________________ Zope maillist - Zope@zope.org http://www.zope.org/mailman/listinfo/zope

(For developer-specific issues, use the companion list, zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )