[Zope] Revoking authentication (or: logging out)?

[michel@digicool.com]

Jonathan Corbet <corbet@eklektix.com> writes:

> I'm working on a system to make medical records available via a web
> interface.  It needs to make different levels of access available to
> different sorts of people (doctors, nurses, clerical staff) - a perfect
> match for Zope's roles.
> 
> But I've encountered one rub: the web browser will be running on PC's
> sitting in various spots in the clinic's offices: the doctor's office, work
> areas, even examination rooms.  There will be a different person sitting
> down at it every few minutes.  But, with "Basic" authentication, once the
> web browser has your username/password in its clutches, it never lets go.
> 
> We're dealing with medical records here, so it is a poor idea to leave a
> "logged in" browser sitting around in a public place.  What I am looking
> for is a way to put in a "log out" option that stops short of killing and
> restarting the browser.  Has anybody else figured out a way to do this?
> 


<!--#raise Unautorized-->
<!--#/raise-->

Will raise a 401 to the browser, typicly causing (netscape at least)
to prompt a box saying "Authorization Failed.  Retry?" Clickin on yes
will bring up a login box.  Clicking cancel will show the Unauthorized 
Error.

I guess as a quick hack, you can impliment a client pull in your
browser to refetch itself, raising it's own unauthorization, forcing
the user to click "Ok" then login again.

Alternatively you can tell your users that they *must* as a policy
click 'log out' (which takes you to a DTML Method with the above DTML
code snippet).

Cookies is probably the more elegant solution.

-Michel

> Thanks,
> 
> jon
> 
> Jonathan Corbet, Eklektix, Inc.
> corbet@eklektix.com
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
> 
> (For developer-specific issues, use the companion list,
> zope-dev@zope.org - http://www.zope.org/mailman/listinfo/zope-dev )