[Seaside] Efficient & trustable authorisation checks?
Tim Rowledge
tim@sumeru.stanford.edu
Mon, 27 May 2002 14:58:34 -0700
Avi Bryant <avi@beta4.com> is claimed by the authorities to have written:
> On Sat, 25 May 2002, Tim Rowledge wrote:
>
> > Err, sorry? HTTP auth? Wossat?
>
> HTTP Basic Authentication; it's what the IAAuthenticatedSession uses.
> Browser pops up a little dialog asking for name and password; browser then
> remembers name and password and sends them in the headers of every
> request. IAAuthenticatedSession checks them for validity on every
> request. The session key is useless without either knowing the user/pass
> or having access to the same browser session.
Ah, ok, that makes reasonable sense I guess. So I can cache the two
items in my session once the mug^H^H^Huser has logged on and just do a
quick compare?
>
> The harder part is asking the browser to forget about the name/pass when
> you logout. I don't remember how this works, but last time I was playing
> with implementing it, it was somewhat flaky. Thus, I don't tend to use
> HTTP auth much. Asking people to quit the browser to log out isn't
> ideal. Maybe things have improved, though, I'll take another look.
So what do you recommend?
tim
--
Tim Rowledge, tim@sumeru.stanford.edu, http://sumeru.stanford.edu/tim
Programming Department: Mistakes made while you wait.