[Zope] Sessions and authentication

Curtis Maloney curtis@cardgate.net
Wed, 7 Mar 2001 16:05:40 +1100 

On Wed,  7 Mar 2001 15:38, Gerald Gutierrez wrote:
> > > - If a user accesses the site, is not logged in, and as the above
> > > described cookie, the server looks up that cookie and auto-logs the
> > > user in if possible (so he is then logged in without having to type in
> > > his username and/or password)
> > > - If the user logs out, he cookie is cleared, the random string is
> > > invalidated in the databse and the user is not auto-logged in at the
> > > next visit.
> >
> >Ah.. the danger here, of course, is that anyone using that computer is
> >automagically logged in as that user.  This is handy, and in most cases
> >harmless... but I have been stung by this before, with login mixups
> > occuring.
>
> I understand the pros and cons; the question here is /how/ to do all this
> in the context of Zope. It seems I'm more or less confined to use one of a
> number of User Folder replacements. Is there a user folder that can do all
> of the following:
>
> - do form login
> - use URL rewriting to keep tracked of a logged in user
> - do automatic redirection when a restricted page is accessed
> - use an optional cookie for "persistent logins"
> - has customizable, flexible rules for authenticating against a database
>
> ? I've been unable to make anything work close to this yet in Zope. I'm
> looking for some pointers on /how/ I must approach this problem. What
> products must I use? Are there peculiarities in their configuration to get
> this to work? Must I write some custom code?
>
>

Well, as I understand it the Generic User Folder was designed to allow you to 
make it work how YOU wanted, instead of world+dog writing their own UF 
variant.  This product, however, has not had any updates or releases since 
late May last year.

As I understand it, LoginManager is the modern, more general variant of the 
GUF.  If provides you with 'interfaces' to Users and Login Methods, and you 
fill in the blanks.  From what I read of the documentation, it will check 
object permissions, and, if neccesary, challenge the user in whatever way you 
write.

So, to address your points:

-do form login
.......... LoginManager
- usr URL rewriting to keep tracked of a logged in user
.......... CookieLess Session
- do automatic redirection when a restricted page is accessed
.......... LoginManager
- use an optional cookie for 'persistent login"
.......... LoginManager
- has customizable, flexible rules for authenticating against a database
.......... LoginManager

> I would appreciate any help that anyone can give.
>

So, it looks like a hands down choice, here.  However, I will reiterate, I 
have not used Login Manager, and am only working on what it claims from the 
documentation on Zope.org ( http://www.zope.org/Members/tsarna/LoginManager )

> Thanks.
>
> Gerald.

Have a better one,
	Curtis Maloney