[Zope-dev] Zope security alert and 2.2 information
Chris Withers
chrisw@nipltd.com
Wed, 10 May 2000 14:19:39 +0100
"Morten W. Petersen" wrote:
>
> > Could you have a button that re-logs you in as the new "nobody" user?
> >
> > So, the procedure would be
> >
> > 1: Log in as Manager user
> > 2: Do privilaged task
> > 3: Press "finished! log me out" button to return to "nobody".
Hmm, how do this 'nobody' user and the Anonymous user interact?
Are they the same? Should they be? what are the differences?
> Probably. But I think the easiest way to do it would be to just expire the
> authentication cookie.
If, of course, you're using Cookie authentication... which isn't really
the problem.
The problem is HTTP Basic Authentication caching the user's details
until it gets told they've failed authentication for that realm...
Chris