[Zope] AUTHENTICATED_USER, and what you can do with it.
Michel Pelletier
michel@digicool.com
Wed, 3 Mar 1999 09:39:57 -0500
> -----Original Message-----
> From: Anthony Baxter [mailto:anthony@interlink.com.au]
> Sent: Wednesday, March 03, 1999 3:21 AM
> To: Martijn Pieters
> Cc: zope@zope.org
> Subject: Re: [Zope] AUTHENTICATED_USER, and what you can do with it.
>
>
>
> > What you could do, is write your own UserFolder/User combo,
> that stores a
> > last-access time on the User object, and checks for this
> every time a user is
> > authenticated. If the difference is greater than, say 15
> minutes, you force a
> > reauthentication by raising a permission denied.
>
> I tried playing with this once upon a time, but I found that
> the stupid
> browser still cached the original result and would continue
> to use it after
> the failed login/relogin combination. Most frustrating.
>
Cookies or passing around secret messages would be the way to avoid
this, don't use Basic authentication at all. The UserDB product shows
off a User Folder than uses cookies, and possibly today I am releasing a
User Folder product that authenticates off of a flat file, like
/etc/passwd for alpha testing which also uses either Basic or Cookie
auth. If you use Cookie auth you are presented with a login/logout
screen to set/clear the cookie.
-Michel
> Anthony
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://www.zope.org/mailman/listinfo/zope
>