[Zope] Sessions and authentication

Gerald Gutierrez gutz@kalador.com
Tue, 06 Mar 2001 11:28:30 -0800


For the past several weeks I've been looking in detail at Zope and PHP, and 
trying to decide which to use for a web application (as opposed to a 
dynamic web site). Zope has a lot helpful infrastructure, but PHP seems 
more flexible.

One of the scenarios I've been thinking about is the 
authentication/authorization mechanism. It's clear to me how to do this 
with PHP and J2EE; I was hoping that someone can explain to me how to do 
this with Zope.

- The app would use URL rewriting for session management.
- When a user accesses the site, he has a session but is not logged in
- He can log in through a form
- Some pages can be accessed whether the user is logged in or not, other 
pages must have the user logged in
- If the user tries to view a page where he must be logged in, the server 
forwards automatically to a login form, and goes to that page when he 
successfully logs in
- User information is maintained in a database. Rules for matching of 
usernames and passwords is as yet undetermined (e.g. strings are stripped, 
compared case insensitively, possibly multiple passwords for a username, 
with each password authenticating the user into a different role)
- Once the user is logged in, he is given a cookie with a random string as 
the value. That string also goes into the database
- If a user accesses the site, is not logged in, and as the above described 
cookie, the server looks up that cookie and auto-logs the user in if 
possible (so he is then logged in without having to type in his username 
and/or password)
- If the user logs out, he cookie is cleared, the random string is 
invalidated in the databse and the user is not auto-logged in at the next 
visit.

So essentially, I need URL rewriting for session management, and a form 
based login, with a flexible set of rules for the actual authentication 
process. I need cookies to be used as an optional feature which can 
auto-log in a user. If the user uses cookies, he can be auto-logged in. If 
not, he can't and must do it manually each time he visits.

I had tried some of this myself, but with little success. Core Session 
Tracking is well documented, but LoginManager was much more complicated 
than I had thought, using many jargons that were hard to understand. In the 
end, I couldn't get much of it working.

If someone tell me whether this is all doable with current packages, and a 
brief explanation of how, I would appreciate it very, very much.

Thanks.


Gerald.