[Seaside] Efficient & trustable authorisation checks?

Avi Bryant avi@beta4.com
Mon, 27 May 2002 15:13:04 -0700 (PDT)


On Mon, 27 May 2002, Tim Rowledge wrote:

> > HTTP Basic Authentication; it's what the IAAuthenticatedSession uses.
> > Browser pops up a little dialog asking for name and password; browser then
> > remembers name and password and sends them in the headers of every
> > request.  IAAuthenticatedSession checks them for validity on every
> > request.  The session key is useless without either knowing the user/pass
> > or having access to the same browser session.
> Ah, ok, that makes reasonable sense I guess. So I can cache the two
> items in my session once the mug^H^H^Huser has logged on and just do a
> quick compare?

Yup.

> > The harder part is asking the browser to forget about the name/pass when
> > you logout.  I don't remember how this works, but last time I was playing
> > with implementing it, it was somewhat flaky.  Thus, I don't tend to use
> > HTTP auth much.  Asking people to quit the browser to log out isn't
> > ideal.  Maybe things have improved, though, I'll take another look.
> So what do you recommend?

Depends what the assumed setting is.  If this is going to be used from
some kind of public lab, I wouldn't recommend HTTP auth, unless you think
people can be trained to always quit their browser when they're done
(doesn't sound likely to me).  Maybe you could use something like the
IAAuthPage example, but store and check the IP of the client?  Doesn't
help if all the machines are behind a NAT gateway, but it's better than
nothing.