[Zope-dev] Zope security alert and 2.2 information

Anthony Baxter Anthony Baxter <anthony@interlink.com.au>
Wed, 10 May 2000 23:26:50 +1000


>>> Chris Withers wrote
> The problem is HTTP Basic Authentication caching the user's details
> until it gets told they've failed authentication for that realm...

.. and even then, if they've had a previous successful auth for a
page, the browser will re-use the token. The only _real_ way to do
it properly is to pass a token to the client, and use that token to
reference their authentication information. That way, when they log
out, you destroy the authentication information on the server side.

Anthony

-- 
Anthony Baxter     <anthony@interlink.com.au>   
It's never too late to have a happy childhood.