[Zope] Logout with standard basic authentification

Marcus Collins mcollins@sunesi.com
Thu, 30 Mar 2000 12:30:20 +0200


Thanks for pointing that out. 

As I understand it, this is a limitation of the HTTP Basic Auth. spec. RFC
2617 deals with this, and says that a client may preemptively send the Auth.
header with requests without receipt of another challenge (section 2). The
browser sends this information for every request in the zope realm (if it
didn't, you'd get the login box on every page). The server also sends an
authentication required header for every page that is protected, so this
behaviour in fact is quite logical.

The only way around it is to use a different authentication mechanism, like
Generic User Folder, et al.

Oh, yeah, and I meant 401 Unauthorised... what a week...

-- Marcus

> -----Original Message-----
> From: Terry Kerr [mailto:terry@adroitnet.com.au]
> Sent: 30 March 2000 13:06
> To: Marcus Collins; zope@zope.org
> Subject: Re: [Zope] Logout with standard basic authentification
> 
> 
> The problem with this is that the browser will not clear its 
> cache of this
> valid username/password unless the user clicks 'OK' on the 
> login dialog box
> that pops up.  If the user clicks 'Cancel' then the browser 
> assumes that
> the user doesn't want to change the username/password, and keeps the
> existing one in cache, hence, a reload of the page will be 
> successfull.
> 
> Does anyone know of any tricks to get around this?
> 
> terry
> 
> Marcus Collins wrote:
> 
> > Hi,
> >
> > With basic authentication, the user's browser caches the 
> username and
> > password, and sends them along with each request. All you can do to
> > invalidate the cached values is raise an "Unauthorized" exception.
> >
> > <dtml-raise type="Unauthorized">
> >  You have been logged out. Please log in again.
> > </dtml-raise>
> >
> > This sends an HTTP 500 Unauthorized back to your browser, 
> which should
> > display the basic auth. login box again.
> >
> > See 
> http://www.zope.org/Documentation/Guides/DTML-HTML/DTML.12.html for
> > details.
> >
> > hth,
> >
> > -- Marcus
> >
> > > -----Original Message-----
> > > From: ibriones [mailto:ibriones@amutis.com]
> > > Sent: 30 March 2000 10:36
> > > To: zope@zope.org
> > > Subject: [Zope] Logout with standard basic authentification
> > >
> > >
> > > I have tried to logout with standard basic authentification,
> > > but I have
> > > not seen nothing in Mailing List.
> > > Only I have seen log out with  cookie-based 
> authentication, but i have
> > > to use standard authentification. I don't know how i can do it.
> > > What can I do to logout with standard basic authentification?
> > >
> > > Thanks
> > >
> > > --
> > > Ismael Briones Vilar    Administrador de Sistemas
> > > ibriones@amutis.com     Amutis Telecomunicaciones S.A.
> > > Tlf: +34 96.353.67.67   Gran Vía Marqués del Turia, 27, 1
> > > Fax: +34 96.353.53.58   46005 Valencia (Spain)
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Zope maillist  -  Zope@zope.org
> > > http://lists.zope.org/mailman/listinfo/zope
> > > **   No cross posts or HTML encoding!  **
> > > (Related lists -
> > >  http://lists.zope.org/mailman/listinfo/zope-announce
> > >  http://lists.zope.org/mailman/listinfo/zope-dev )
> > >
> >
> > _______________________________________________
> > Zope maillist  -  Zope@zope.org
> > http://lists.zope.org/mailman/listinfo/zope
> > **   No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope-dev )
> 
>