[Zope] Security question

Michel Pelletier michel@digicool.com
Fri, 17 Mar 2000 14:56:01 -0800


Daniel.Weber@SEMATECH.Org wrote:
> 
> As far as authorization goes, I've noticed that I get prompted for a
> user-name/password only once during a session.  After you've been validated, it
> appears zope does not prompt you again for that browser session.

Actually Zope does prompt your client on every single request (that
requires authorization), it must, because HTTP is stateless.  Zope also
validates every single request.

This is a 'feature' of the HTTP Basic Authentication spec that says
browsers can cache auth information.  It is however often a lack that
browsers do not let you manually clear this cache.
 
> The reason I'm concerned is that if I have to do maintenance on someone else's
> web browser, how do I ensure that after I leave a person cannot use the back
> button or history list to gain manager access to the site?  Do I have to exit
> the browser when I'm done?

Yes.  Or force the client to discard it's cached auth info with a
<dtml-raise Unauthorized></dtml-raise>.

-Michel