[Zope-CMF] cookies and CMF login

[Tres Seaver]

On Fri, 2002-08-30 at 11:40, Kelley, Sean wrote:
> I am in a windows environment and I am currently running Zope for an
> Intranet on a Windows box which I may port to Linux.  Right now, people join
> the CMF but I want to use cookies so that they do not have to always login.
> Once they have logged in, I would like them to be able to come back and
> still be logged in a month from now.  I want to obviously remember the user
> name and password and do not want them to have to log in to see the site as
> that user.  I could use some sort of NT authentication, but I want to keep
> independent security from what my IS dept sets.
> 
> I have never used cookies.  How do I do this with CMF 1.3 and Zope 2.5.1?
> Has anyone done this?  If not, is there a how to that would help me figure
> it out?

First, the obligatory warning:  this is a *really* bad idea if your
authenticated users have access to *any* privileged / sensitive
information, as that data will be vulnerable to any user who can steal /
spoof the cookie.

If, having read that warning, you still need to use persistent
authentication cookies, the CMF does provide you a pistol;  you do have
to strap it into your boottop yourself, as follows:

  - In the 'control' skins folder, select the 'setAuthCookie'
    PythonScript.

  - Customize this script (e.g., to your 'custom' skin folder).

  - Edit the script to include the correct expiration, e.g.::

      resp.setCookie( cookie_name, cookie_value, path='/'
                    , expires='Tue, 31-Dec-2099' ) # or whatever

I never told you this, so please don't complain when you lose your toes.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver@zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com