[Zope] question about user authentication

Jason Jones jason_j@countermedia.org
Tue, 3 Aug 1999 18:29:52 -0400


On Tue, 03 Aug 1999, Michel Pelletier wrote:
> BTW, please don't send HTML formatted mail to the Zope list, it makes it
> a bit difficult to deal with.  I'm meaning to mention this for the past
> week or so...
> 

My apologies... I was at work and forgot that HTML is the company standard...

> Zope does not keep the AUTHENTICATED_USER object around in a persistent
> manner.  How HTTP basic auth works is that the server challenges the
> browser on *every* request, on the first request, the browser caches the
> uid and pwd the user types in ,and uses it for each subsequent request. 
> The point is, there is NO state maintained on the server end.
> 

Thanks for clearing this up. I thought that Zope, when authenticating the user
was storing the results of that authentication, and that, if such was the
case, all I would need to do is add the key to a cookie (or url) and match it
with a DTML call. Since this isn't the case I can just create my own...

> If you want to keep state, you'll have to set a cookie, or munge your 
> URLs.  I would set a cookie, URL munging is a pain.  To fold your cookie 
> auth into the Zope security framework, you would need to write your own 
> kind of User folder.  
>  
> Luckily, we have done this allready with UserDB, which can authenticate 
> with cookies against a relational database. To make it work like a 
> normal Zope folder but with cookies, you would jsut have to create a 
> new  kind of Zope folder that did the cookie part from UserDB but not 
> the DB part, or you could just use UserDB. 
> 

I'll take a look at UserDB, thanks. My suspicion is that I will have to provide
solutions for cookies and URL manipulation though to support those users who
consistently refuse cookies.

> Zope has no built in restrictions for using session like concepts, in
> fact we have used that model many times.  You'll just have to roll your
> own, because no general solution has been found yet.
> 
>-Michel

How will the upcoming Zope Portal Toolkit deal with user authentication and
sessions? Looking at the animated demo, I see login screens, etc,... Any idea
when this will be available?

Thanks,

Jason Jones
jason_j@countermedia.org