[Zope] AUTHENTICATED_USER, and what you can do with it.
Martijn Pieters
mj@antraciet.nl
Wed, 03 Mar 1999 09:06:38 +0100
At 17:37 02/03/99 , you wrote:
>While we are on the subject of AUTHENTICATED_USER, I would like my users to
>be able to "logout" so that they then become anonymous again.
>
>Any ideas?
>
>I have seen this on Dejanews. It would be useful so that authorized users
>don't leave themselves logged in if they don't quit Netscape.
>
>Phil.
>
This is very hard to do from the serverside. I can force a new login, but I
cannot stop a browser from authenticating itself at every request, therefore
effectivly becoming anonymous.
Problem is more that HTTP is stateless, a user is not 'still logged in', but it
autenticates itself at every request. Only when the server says that the
authentication is incorrect, does the browser ask for the username and
password.
What you could do, is write your own UserFolder/User combo, that stores a
last-access time on the User object, and checks for this every time a user is
authenticated. If the difference is greater than, say 15 minutes, you force a
reauthentication by raising a permission denied.
--
M.J. Pieters, Web Developer
| Antraciet http://www.antraciet.nl
| Tel: +31-35-6254545 Fax: +31-35-6254555
| mailto:mj@antraciet.nl http://www.antraciet.nl/~mj
| PGP: http://wwwkeys.nl.pgp.net:11371/pks/lookup?op=get&search=0xA8A32149
------------------------------------------