On Tue, 6 Mar 2001, Gerald Gutierrez wrote:
- The app would use URL rewriting for session management. - When a user accesses the site, he has a session but is not logged in - He can log in through a form - Some pages can be accessed whether the user is logged in or not, other pages must have the user logged in - If the user tries to view a page where he must be logged in, the server forwards automatically to a login form, and goes to that page when he successfully logs in - User information is maintained in a database. Rules for matching of usernames and passwords is as yet undetermined (e.g. strings are stripped, compared case insensitively, possibly multiple passwords for a username, with each password authenticating the user into a different role) - Once the user is logged in, he is given a cookie with a random string as the value. That string also goes into the database - If a user accesses the site, is not logged in, and as the above described cookie, the server looks up that cookie and auto-logs the user in if possible (so he is then logged in without having to type in his username and/or password) - If the user logs out, he cookie is cleared, the random string is invalidated in the databse and the user is not auto-logged in at the next visit.
URL rewriting might be a tad tricky in Zope (I think it's a messy solution in any language, actually). Perhaps two cookies: a permanent you've-logged-in-before one, and a just-for-this-time one, which provides the session ID? Permanent is there to autofill login name and such, temporary one has a recent expiration date, and is used to handle page-to-page session stuff. Then, things would be relatively easy to implement in Zope. I've never used Login Mgr, etc. I'm sure they're better solutions than hand-coding this, though! As far as PHP vs Zope goes: I'd focus on larger scale things than just user authentication. How manageable is the PHP solution? I find it _very_ hairy to work on some else's PHP code. Zope seems more than a tad better in this respect. Good luck. If you learn anything about the session management, consider a HOWTO. -- Joel Burton <jburton@scw.org> Director of Information Systems, Support Center of Washington