[Zope-PAS] Re: [RFC] Extending CookieAuthHelper
Chris McDonough
chrism at plope.com
Thu Nov 11 13:17:50 EST 2004
There is apparently already an extraction plugin for session auth in PAS
within SessionAuthHelper.py . It seems to lack forms at the moment.
On Thu, 2004-11-11 at 12:08, Tres Seaver wrote:
> Jens Vagelpohl wrote:
> > Hi guys,
> >
> > In the course of customer work I would like to either extend the
> > CookieAuthHelper with some useful functionality or, if that's preferred,
> > add a separate Cookie-Auth plugin based on the CookieAuthHelper that has
> > a slightly different behavior.
> >
> > In a nutshell, credentials should not be stored in the cookie itself.
> > The proposed changes involve storing a simple key, or "ticket", in the
> > cookie and storing the credentials in the user's session under that
> > ticket key.
>
> -1 on requiring sessions as the default behavior; it won't work by
> default in a cluster, unless the sessions machinery is configured to use
> a ZEO storage. I think this part should be in a subclass.
>
> > Also, the lifespan of the cookie should be configurable on the plugin
> > and there should be a "logout" method that can be called from user
> > space/untrusted code to effect cookie expiration.
>
> +1 for both of these.
>
> > Like I said, this could be done by extending the CookieAuthHelper or by
> > basing a new plugin on it. What are peoples' preferences or suggestions?
>
> Tres.
More information about the Zope-PAS
mailing list