[Zope] CoreSessionTracking-based LoginMethod for LoginManager
Mate' Sztipanovits
sztipam@vuse.vanderbilt.edu
Wed, 15 Aug 2001 08:56:01 -0500
Could you guys please take me off the Zope mailing list.
thanks
--Mate'
-----Original Message-----
From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Andy
Gimblett
Sent: Wednesday, August 15, 2001 8:26 AM
To: 'zope@zope.org'
Subject: [Zope] CoreSessionTracking-based LoginMethod for LoginManager
Hi there Zopers,
I'm currently trying to develop a LoginMethod for LoginManager which
uses CoreSessionTracking to store/access credentials, rather than
Basic HTTP Authorization or Basic Cookie Authorization. Here's why:
- Basic HTTP auth is unacceptable because we need form-based login.
- I've looked at other user folders which support cookies, and at
CookieCrumbler, and at the BasicCookieLogin class bundled with
LoginManager, but they all share the problem (in my mind) that
they store the username/password encoded in the cookie itself,
which isn't very secure - and doesn't extend well into storing
other information if I wanted to.
- I'd much rather use a token-based scheme where all sensitive
information is stored on the server, and the cookie is just a
token which can be mapped to that data. This seems to me to be
what CoreSessionTracking offers.
- The CST documentation mainly talk about CST as a way of tracking
anonymous sessions, but I see no reason why it couldn't be used
in this way too...?
If we assume that the above reasoning is sound and that this is
A Good Thing To Do, then I have the following problems:
- I haven't written a fully-fledged disk-based product yet. I've
looked at the tutorials and howtos but they're pretty basic.
Helpful, but basic. I've successfully created a stripped-down
do-nothing copy of the BasicCookieLogin class, but it's adding
the extra (CST-related) parts that I'm having difficulty with.
- If I could do it with a ZClass I reckon I could make it work,
but I can't see a way to create a ZClass which LoginManager can
use as a LoginMethod. There are subclasses for UserSources, but
not LoginMethods.
- Ideally I want it to be self-contained, so the LoginMethod
instance would contain a SessionIdManager and a
SessionDataManager - but I don't know how to do this properly/
morally/legally, or if it's even possible.
- Another approach would be to have the LoginMethod pick up a
SessionDataManager outside of it, but I'm having problems with
this too... I tried hard-coding an expected ID in the
LoginMethod and created a SessionDataManager with that ID in
the LoginManager, but the acquisition didn't work. Maybe I'm
missing something simple?
Basically I have too many gaps in my knowledge to pull this together
properly on my own, so it's time to ask for help. I'll be happy to
expand on any of the above if necessary... I've sure learnt a lot
about LoginManager and CST over the last few days, but I don't
quite the skills to suit action to intent... :-(
I'm assuming that this would be useful to other people if I could
get it to fly? If that's the case, I'd love to release it.
Similarly, if anyone wants to see the source of what I've tried so
far, let me know. Other than that, all input appreciated.
Thanks in advance,
Andy
--
Andy Gimblett - Programmer - Frontier Internet Services Limited
Tel: 029 20 820 044 Fax: 029 20 820 035 http://www.frontier.net.uk/
Statements made are at all times subject to Frontier's Terms and
Conditions of Business, which are available upon request.
_______________________________________________
Zope maillist - Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )