For the past several weeks I've been looking in detail at Zope and PHP, and trying to decide which to use for a web application (as opposed to a dynamic web site). Zope has a lot helpful infrastructure, but PHP seems more flexible. One of the scenarios I've been thinking about is the authentication/authorization mechanism. It's clear to me how to do this with PHP and J2EE; I was hoping that someone can explain to me how to do this with Zope. - The app would use URL rewriting for session management. - When a user accesses the site, he has a session but is not logged in - He can log in through a form - Some pages can be accessed whether the user is logged in or not, other pages must have the user logged in - If the user tries to view a page where he must be logged in, the server forwards automatically to a login form, and goes to that page when he successfully logs in - User information is maintained in a database. Rules for matching of usernames and passwords is as yet undetermined (e.g. strings are stripped, compared case insensitively, possibly multiple passwords for a username, with each password authenticating the user into a different role) - Once the user is logged in, he is given a cookie with a random string as the value. That string also goes into the database - If a user accesses the site, is not logged in, and as the above described cookie, the server looks up that cookie and auto-logs the user in if possible (so he is then logged in without having to type in his username and/or password) - If the user logs out, he cookie is cleared, the random string is invalidated in the databse and the user is not auto-logged in at the next visit. So essentially, I need URL rewriting for session management, and a form based login, with a flexible set of rules for the actual authentication process. I need cookies to be used as an optional feature which can auto-log in a user. If the user uses cookies, he can be auto-logged in. If not, he can't and must do it manually each time he visits. I had tried some of this myself, but with little success. Core Session Tracking is well documented, but LoginManager was much more complicated than I had thought, using many jargons that were hard to understand. In the end, I couldn't get much of it working. If someone tell me whether this is all doable with current packages, and a brief explanation of how, I would appreciate it very, very much. Thanks. Gerald.