[Zope] FSSession problems...

Mon, 28 Aug 2000 10:07:24 +1100

On Fri, 25 Aug 2000, Pavlos Christoforou wrote:
> On Fri, 25 Aug 2000, Curtis Maloney wrote:
> > Greetings,
> >
> > I'm using FSSession to store login details about visitors to our site. 
> > It is important that users only be able to see their own data (of
> > course).
> >
> > Today, however, I find out that some mistakes have been happening. 
> > People are finding themselves logged in when they haven't yet, and others
> > finding they're logged in as someone else.  This is, obivously, a
> > problem.
> >
> > I cannot see how this could be happening, since the Session ID is stored
> > in a cookie, which should be unique to the client.
>
> This is very weird indeed. Nobody has ever reported a similar problem. Can
> you send me the DTML method that calls the FSSession?
>
Yes.  Very weird.  I'm not doing anything fancy.  <dtml-call FSSession> is in 
the standard_html_header.  Once the users name/password has been verified 
from the db, i use:

<dtml-call "FSSession.set('ReturnerID',ReturnerID)">

to set the value, and test if the user is logged in with :

<dtml-if "FSSession.has_key('ReturnerID')">

Logging out works fine, with:

<dtml-if "FSSession.has_key('ReturnerID')">
  <dtml-call "FSSession.delete('ReturnerID')">
</dtml-if>

This was aparently working fine for quite some time (about a month of public 
usage), until last week.  We have examined logs, and seen that one person 
accidentaly used the system under someone elses ReturnerID, and then 
rectified their mistake.

> Pavlos
>

I really would rather continue using FSSession, as it has worked fine for me 
in the past, and I find it very simle to use.  It would also save me from 
having to totaly rewrite the site. (o8

Then again, I am considering using Zope level user authentication in the next 
revision of this site, but that is already planned to be a major overhaul.

Really, I just want to know what's going wrong...

Have a better one,
	Curtis