[Zope] Prompting for login, logging out?

Sam Gendler sgendler@teknolojix.com
Thu, 02 Dec 1999 14:23:48 -0800


>
> Also, I'm still interested in that snippet of code that logs out the
> current user (I think it removes a cookie?  I'm not sure).  If someone
> could post that, I'd be grateful.
>
> Thanks in advance.

Logging a user out is simple.  The normal acl_users folder uses basic user
authentication.  The form of authentication causes a browser to send the
supplied username and password on every request made to that domain name.  The
browser will not stop sending this authentication header until the browser is
restarted or a page comes back unauthorized, in which case a new login dialog
box gets sent to the user.  Consequently, if you write a dtml method that sends
a 401 Not-Authorized message back to the user, the browser will present a new
login box to the user, and it will stop sending the old one.  Unfortunately,
there is no way to combine a redirection with a 401 message, so you cannot
invalidate their authentication and redirect them to an anonymously available
page at the same time.  Consequently, the best you will be able to do is to have
them click log out and be immediately faced with a new login box.  You can
provide a page that shows up when the user clicks cancel on the dialog box,
though.

Don't despair, there is a way around it.  If you use the Generic User Folder or
the UserDb product, you can have a user authenticate with an html form instead
of through http basic authentication.  In this method, you have them submit a
username and password in text boxes in a form field, and if their authentication
checks out, you can set a cookie on their browser.  All subsequent requests will
be served with that cookie, until the cookie expires.  You probably want to make
the cookie expire in 15 or 30 minutes.  Every subsequent request to the site
should set the same cookie with a new expiration date, 15 or 30 minutes into the
future.  That way, if a user leaves the site for more than 15 or 30 minutes,
their cookie expires and the next time they access the site, they will be
redirected to the login page again.  To log a user out with this mechanism, just
have the logout method set the expiration on the cookie to be immediate, but
make that page available to anonymous users.  That way, they will see the logout
page, but if they try to go to any other authenticated page, they will just get
the login form again.

Enjoy.

--sam