Changes Current users: guest (web) |
The effect of this approach is that users will stay logged in until the browser quits (assuming browser-based password saving is not enabled) or until an authentication error is forced. This has presented a problem for use by students on public/shared machines. As part of a solution to this we added a "Logout" link on text objects. This forces an HTTP authentication failure that clears the password, but also presents a clunky series of error screens. At the request of one of the ROLE teachers we have also added a configuration option to the discussion tool to force logout after posting. To avoid ugly error messages in the browser, this is done by setting a cookie that forces a failure on the next attempt that would require a password. This is reasonably clean, though it adds a small amount of overhead to all subsequent requests and responses and will also not work if cookies are disabled. (Furthermore, this has problems on Mac IE, which sends authentication headers even when the server doesn't explicitly request them. This should, however, be fixable.) This has implications for the future when we move to https for extra security. While we would almost certainly have timers on the session, but also need a way for specific components to explicitly request that the session be terminated. If the cookie-based approach proves to be successful, we could consider using cookies to hide the /public/ - /private/ distinction. However, there may be value in keeping this distinction visible to make it clear when something requires login. |
| /public/projects/bridge/design/Web session (login-logout) notes | Login | Web Editor | Full Editor |
| Last modified 9/11/03 1:47 PM by isenhour (history) Site contents | |