[Zope] Revoking authentication (or: logging out)?

[Jeff Bauer]

Jonathan Corbet wrote:
> We're dealing with medical records here, so it is a poor 
> idea to leave a "logged in" browser sitting around in a 
> public place.  What I am looking for is a way to put in 
> a "log out" option that stops short of killing and
> restarting the browser.  Has anybody else figured out a 
> way to do this?

We have the same patient confidentiality issues to address
in a similar domain.  My solution is to create a session manager
that forces a user timeout after a period of inactivity, 
typically 10-20 minutes.  In this scenario, it is necessary 
to bypass basic authentication and roll your own.  I'm still 
experimenting; it's not really mainstream Zope.

A timeout solution isn't perfect, but it's an improvement.
I'm open to other suggestions that don't require special
security equipment.

Best regards,

Jeff Bauer
Rubicon, Inc.