[SGVLUG] Plone

[Emerson, Tom]

> -----Original Message-----
> Behalf Of Dustin
> 
> On Wed, 20 Jul 2005, Rich Pinder wrote:
> [in response to Dustin]
> >  any connection to the Zope port is automagically
> > logged in as my admin user
> > 
[...when]
> > you use the 'log out' button, unless you exit your browser  
> > you'll continue to remain connected at the next login. 
> 
> Yes, last night I played with the browser and dug around [and]
> realized this.  I think it is behaving OK, except that you 
> simply can't log out.
> 
> Any clue why Zope is the only system that can't do this, when 
> much more 
> lightweight PHP-based CMSes can log you out just fine?  It 
> seems like an 
> amazingly trivial limitation for such a complex and powerful system.

This is probably a "cookie" issue -- generally the server will issue you a cookie stating "you're logged in", which your browser dutifully sends on every subsequent request.  When you "log out", theoretically the server should send some directive to DELETE the cookie, but I don't think there is such a directive to do this in the first place.  Also, since you indicate this "clears up" when you physically exit the browser, it suggests that this is actually a "session temporary" cookie (has an expiration time of -1, I believe) which the client might NOT be "deleting" if the server does indeed have a way of saying "this cookie has gone stale -- dump it"

Depending on the contents of the cookie and how the server deals with things, one of two things could be happening that would explain what you're seeing:

   1) the cookie is "too generic" -- it indicates who you are but NOT whether you're logged in or not, hence the server always sees you as "you", and uses that fact to indicate you're logged in

   2) the "server" doesn't internally invalidate the cookie when you "log out", and accepts the cookie as gospel the next time it's presented.