[Seaside] Efficient & trustable authorisation checks?

Avi Bryant avi@beta4.com
Sat, 25 May 2002 12:47:40 -0700 (PDT)

On Sat, 25 May 2002, Tim Rowledge wrote:

> Err, sorry? HTTP auth? Wossat?

HTTP Basic Authentication; it's what the IAAuthenticatedSession uses.
Browser pops up a little dialog asking for name and password; browser then
remembers name and password and sends them in the headers of every
request.  IAAuthenticatedSession checks them for validity on every
request.  The session key is useless without either knowing the user/pass
or having access to the same browser session.

The harder part is asking the browser to forget about the name/pass when
you logout.  I don't remember how this works, but last time I was playing
with implementing it, it was somewhat flaky.  Thus, I don't tend to use
HTTP auth much.  Asking people to quit the browser to log out isn't
ideal.  Maybe things have improved, though, I'll take another look.