[Zope] Logging out a user (in code)

Dario Lopez-Kästen dario@ita.chalmers.se
Mon, 9 Jul 2001 11:37:47 +0200


Christian Theune <ct@gocept.com> wrote:
> On Sun, Jul 08, 2001 at 11:50:42PM +0200, Dieter Maurer wrote:
>> With cookie based authentication, you simply kill the cookie.
> [...]
>
>Really? Just think, what happens if the user manually copies it's
>cookie and stores it back on the browser?
>
>You have to tell the server to forget, that this cookie is
>authorized ... ?
>
>(I'm not sure on that ... )

A beter way would be to track the cookie's value on the server; then you can
kill the cookie both on the client and prevent its re-usage from the server
side.

An example would be to store the cookies, key, the value of the cookie along
with a timeout on the serverside. So long as you have a valid request, you
update the timeoutvalue on the serverside.

When the user logs out you set the timeout to "now". the next time the user
tries to do something the server detects that the cookie is invalid (based
on the timeout) and takes appropiate action (i.e. redirecting to login
screen).

Hope this helps.

/dario