[Zope-dev] Logout

[Michel Pelletier]

Sin Hang Kin wrote:
> 
> I just apply an test account from imeme.net.
> 
> I suddently realize that There is no logout operation available.

That's ok, you're never 'logged in'.  HTTP is stateless.  There is no
state, you are not logged in or logged out, you login and logout
everytime you make a request.  This is the nature of HTTP.

HTTP Basic authentication is simple, you make a request, and the server
says 'Unauthorized'.  So the browser asks you the user for a username
and password.  Now you make a reqeust and hand the server your
credentials, a this point it say 'Ok' or 'Unauthorized'.  

If it says 'Ok', then your _broswer_ caches your credentials and gives
them to the server _for every request you make_.  The server never
maintains a list of who is 'logged in'.

HTTP Basic auth esentially does not let you logout.  You have two
choices, 1) quite your browser, or 2) <dtml-raise
Unauthorized></dtml-raise>.  The second one, raising Unauthorized, will
cause your browser to prompt your for login credentials.  To logout, hit
'cancel'.

Keep in mind that none of this has anything to do with Zope, but rather
HTTP Basic authentication.  They call it 'Basic' for a reason, it's
simple and not flexible and the HTTP designers probably expected much
more sophisticated techniques to be developed in its place.  Several
much more secure and intelligent techniques have been developed, but the
authors of browser software don't give a damn or want to foist
proprietary protocols on the user.

-Michel