-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris McDonough wrote:
> FTR, I tried to apply the patch referenced in Lukasz' email to
> redirectingformplugin, but as I was doing that, I realized I don't know where
> SCRIPT_PATH is supposed to come from.  It's not a CGI or WSGI envvar as far 
> as I
> can tell and it's not in wsgiorg.routing_args either.  Is it supposed to be
> SCRIPT_NAME?
> 
> I also took a look at FriendlyRedirectingFormPlugin.  FTR, I intend to add 
> some
> facility to who in the near future that makes it possible to log a user out
> without necessarily displaying the challenge form (by maybe allowing the app 
> to
> return a 403 Forbidden, which would "forget" credentials but just display the
> body of the page returned without actually invoking any challenger).

403 won't cause any credentials to be forgotten:  it says, "I know who
you are, and you aren't allowed to access that resource."  Logging out
should *not* be an exceptional case:  it should just be a redirect to
whatever view / controller is responsible for triggering the "forget"
(i.e., clearing the cookie, removing a key from the session, whatever),
perhaps followed by a redirect to an unprotected "logged out" page (or
wherever works for the app).

The basic auth / digest auth mechanisms *have* to challenge to log out:
 otherwise, the browser will keep sending the credentials along.



Tres.

- --
===================================================================
Tres Seaver          +1 540-429-0999          tsea...@palladion.com
Palladion Software   "Excellence by Design"    http://palladion.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJkDZF+gerLs4ltQ4RAq8+AJ9S34Jlj24upH4r3RoI0Z0nyXAFUwCgjS6+
A1MgvCZz6BCFBijN8DNX4is=
=YjHX
-----END PGP SIGNATURE-----
_______________________________________________
Repoze-dev mailing list
Repoze-dev@lists.repoze.org
http://lists.repoze.org/listinfo/repoze-dev

Reply via email to