[Zope-CMF] Login/logout information
Ben Riga
briga@borland.com
Wed, 11 Apr 2001 11:17:00 -0700
Tres,
Thanks. I understand the security issues. In my case this initial site
is an internal intranet site/experiment which will grow. The security
issues don't exist since the site does not hold any sensitive info.
I think that this type of decision is best left to the user. Yahoo does
this a couple of different ways. MyYahoo never expires on me. Yahoo Mail
asks you how long you want you cookie to survive for (varies from 15 minutes
to a day). Hotmail also gives the user the preference of when to expire a
session (2 hours to never).
Perhaps this could be something that could be in the member perferences
page.
Thanks again for your help,
Ben
-----Original Message-----
From: tres@borland.com [mailto:tres@borland.com]On Behalf Of Tres Seaver
Sent: Tuesday, April 10, 2001 3:56 PM
To: Ben Riga
Cc: zope-cmf@zope.org
Subject: Re: [Zope-CMF] Login/logout information
Ben Riga wrote:
> It seems like the CMF and/or Zope log me off whenever I shutdown
> my browser. Is there anyway to prevent that? In other words,
> don't log me out (ever) unless I explicitly log out.
Assuming you are using the cookie-based authentication provided
by default, yes, it is possible, but creates a security issue if
any of your users ever log in from a "shared" machine (library,
internet cafe, etc.)
You would need to tweak / override
'CMFCore.CookieCrumbler.CookieCrumbler.setAuthCookie' such that
it appends 'expires="Never"' to the call to 'resp.setCookie'
(line 153).
Because of the security issue, I *won't* accept a patch to add
this behavior, even as an option, to the CookieCrumbler
distributed with the CMF.
Tres.
--
===============================================================
Tres Seaver tseaver@digicool.com
Digital Creations "Zope Dealers" http://www.zope.org