[Zope] Summary: revoking authentication

[Jonathan Corbet]

Thanks to everybody who answered my question; I have gotten everything
*almost* to the point I need.

The problem, remember, was that I needed to be able to explicitly "log out"
users of a Zope-powered site.  The normal "basic" authentication mechanism
does not allow for that - once the browser has its grip on your username
and password, it doesn't let go until the browser restarts.  (Which, with
the 4.6 Netscape I just installed, is generally within about 15 minutes,
but I digress...grumble...)

The solution: get the unsupported UserDB product from 

	http://www.zope.org/Download/Unsupported

and install it.  UserDB will authenticate users from an SQL database, which
works well for my application.  But, more to the point, it can be set up
to use cookies for authentication purposes.  Cookies can be reset from the
server, thus allowing a "log out" capability.

To allow users to log themselves out, simply give them a link to
"acl_users/logout" and it happens.  (NOT acl_users/docLogout, as suggested
by one person - that looks like it works, but does not).

The next thing to do is to add an expiration to the cookies, which I have
not yet done.  That deals with the "they forgot to log out" case -
something that has been known to happen every year or so.

Only one problem remains: I've not yet found a way to enable UserDB
authentication in the top-level folder.  Trying to set up UserDB there
brings a complaint that acl_users already exists; Zope, however, will not
let you delete acl_users from the top-level folder.  That's an annoyance,
but it can be worked around.  I'm happy.

Thanks again!

jon

Jonathan Corbet, Eklektix, Inc.
corbet@eklektix.com