[Zope-dev] Logout

Michael Bernstein webmaven@lvcm.com
Sat, 08 Apr 2000 12:38:26 +0000


Michel Pelletier wrote:
> 
> HTTP Basic auth esentially does not let you logout.  You have two
> choices, 1) quite your browser, or 2) <dtml-raise
> Unauthorized></dtml-raise>.  The second one, raising Unauthorized, will
> cause your browser to prompt your for login credentials.  To logout, hit
> 'cancel'.
> 
> Keep in mind that none of this has anything to do with Zope, but rather
> HTTP Basic authentication.  They call it 'Basic' for a reason, it's
> simple and not flexible and the HTTP designers probably expected much
> more sophisticated techniques to be developed in its place.  Several
> much more secure and intelligent techniques have been developed, but the
> authors of browser software don't give a damn or want to foist
> proprietary protocols on the user.

Michel,

While I was aware of HTTP basic auth's limitations, and the <dtml-raise
Unauthorized> fix, this was the first time I'd heard of any proposed
extensions/replacements. can you point to any projects/proposals in this
regard? If support for an improvment could be folded into Apache,
Zserver, and Mozilla, that might put enough pressure on other companies
to support it too.

Michael Bernstein.