URL rewriting might be a tad tricky in Zope (I think it's a messy solution in any language, actually). Perhaps two cookies: a permanent you've-logged-in-before one, and a just-for-this-time one, which provides the session ID? Permanent is there to autofill login name and such, temporary one has a recent expiration date, and is used to handle page-to-page session stuff.
Part of what I'm doing requires talking to cell phones via WML and HDML. While the transport is still HTTP, the phones don't, as per the standards, support cookies. So cookies cannot be made mandatory. It is a "value added feature", as I described, because some WAP gateways support them as an extension. Hence this requirement.
Then, things would be relatively easy to implement in Zope.
I've never used Login Mgr, etc. I'm sure they're better solutions than hand-coding this, though!
I agree, but I'm feeling that authentication/authorization in Zope is limited to what products are available, and building a new product takes a relatively significant amount of time. The requirements I listed are really what I need, and if I can't find a user manager that handles them all, then I believe that I am out of luck. If there is a user manager that works, but I then need a new feature in the auth that isn't supported, then again I'm out of luck.
As far as PHP vs Zope goes: I'd focus on larger scale things than just user authentication. How manageable is the PHP solution? I find it _very_ hairy to work on some else's PHP code. Zope seems more than a tad better in this respect.
Yes. abstraction capability (e.g. SQL as methods), acquisition, and other features in Zope have led me to investigate it in detail. But like the rest, it isn't ideal. I've been able to do everything I have to in J2EE because the API it provides is extremely comprehensive, but the drawback to it is that one needs to maintain an obscene amount of code from XML descriptors to JSPs to servlets to EJBs. I'm just trying to pick out some of the more obvious scenarios and see how they all compare. Is LoginManager the most generalized of the bunch, in terms of the methods that can be used to authenticate? Can the LoginManager be used with URL rewriting?