[Seaside] Efficient & trustable authorisation checks?
Mon, 27 May 2002 14:58:34 -0700
Avi Bryant <email@example.com> is claimed by the authorities to have written:
> On Sat, 25 May 2002, Tim Rowledge wrote:
> > Err, sorry? HTTP auth? Wossat?
> HTTP Basic Authentication; it's what the IAAuthenticatedSession uses.
> Browser pops up a little dialog asking for name and password; browser then
> remembers name and password and sends them in the headers of every
> request. IAAuthenticatedSession checks them for validity on every
> request. The session key is useless without either knowing the user/pass
> or having access to the same browser session.
Ah, ok, that makes reasonable sense I guess. So I can cache the two
items in my session once the mug^H^H^Huser has logged on and just do a
> The harder part is asking the browser to forget about the name/pass when
> you logout. I don't remember how this works, but last time I was playing
> with implementing it, it was somewhat flaky. Thus, I don't tend to use
> HTTP auth much. Asking people to quit the browser to log out isn't
> ideal. Maybe things have improved, though, I'll take another look.
So what do you recommend?
Tim Rowledge, firstname.lastname@example.org, http://sumeru.stanford.edu/tim
Programming Department: Mistakes made while you wait.