[Seaside] Efficient & trustable authorisation checks?

Tim Rowledge tim@sumeru.stanford.edu
Mon, 27 May 2002 14:58:34 -0700

Avi Bryant <avi@beta4.com> is claimed by the authorities to have written:

> On Sat, 25 May 2002, Tim Rowledge wrote:
> > Err, sorry? HTTP auth? Wossat?
> HTTP Basic Authentication; it's what the IAAuthenticatedSession uses.
> Browser pops up a little dialog asking for name and password; browser then
> remembers name and password and sends them in the headers of every
> request.  IAAuthenticatedSession checks them for validity on every
> request.  The session key is useless without either knowing the user/pass
> or having access to the same browser session.
Ah, ok, that makes reasonable sense I guess. So I can cache the two
items in my session once the mug^H^H^Huser has logged on and just do a
quick compare? 
> The harder part is asking the browser to forget about the name/pass when
> you logout.  I don't remember how this works, but last time I was playing
> with implementing it, it was somewhat flaky.  Thus, I don't tend to use
> HTTP auth much.  Asking people to quit the browser to log out isn't
> ideal.  Maybe things have improved, though, I'll take another look.
So what do you recommend?


Tim Rowledge, tim@sumeru.stanford.edu, http://sumeru.stanford.edu/tim
Programming Department:  Mistakes made while you wait.