[Zope] Cookies for banishing users

Dieter Maurer dieter@handshake.de
Tue, 3 Sep 2002 21:36:23 +0200


Chetan Kumar writes:
 > Dieter Maurer wrote:
 > >Chetan Kumar writes:
 > > > ...
 > > > 6. The user logs out (The cookie should expire here)
 > >You know the "expireCookie" method of the response object?
 > >
 > Yes. I have used this.
 > However, the problem is elsewhere. The users can just click
 > "reload" and the python scripts performs its action !! I can
 > stop the python script from behaving in this manner in a
 > more explicit way, but I would expect that once the cookie
 > is expired the users should not be able to do anything without
 > login.
I see two potential reasons:

  *  You are using the "expireCookie" in a wrong way:
     The "path" parameter must be specified in the same way
     as for the respective "setCookie".

     Note, that "path" is automatically determined by the browser,
     if you do not specify "path" explicitely.

     Please read the Cookie specification, for details.

  *  Your permission to role mapping is inadequate:

       Calling a Python Script is protected by the "View" permission.
       By default, "View" is granted to "Anonymous".
       If you do not like that, change the permission to role mapping

       Read the security chapter in the Zope book, for details.


Dieter