AW: [Zope] CookieCrumbler Question

Germer, Carsten carsten.germer@desy.de
Thu, 17 Apr 2003 09:44:34 +0200


I just solved a problem similar to that.

First, when you log in with cookiecrumbler the cookie that is set is =
afaik
persistent between http: and https:, that solves that, no need to log =
in
twice.

I found a way with cookiecrumbler that, no matter where or when the =
user
needs to login, she will do so over SSL.

What I did:
- Assuming Apache in front of Zope, SSL running smoothly, actual =
versions of
everything etc. :))
- Cookie Crumbler with forms into Zopes root
- install SSLAbsoluteURL
- add the attribute SSL=3Dtrue to login_form
- a small change to login_form
  <snip>
         action_url=3D"came_from or 'logged_in'">
    <!-- <form action=3D"&dtml-action_url;" method=3D"POST"> -->
    <form action=3D"logged_in" method=3D"POST">
  </snip>
Usually the form will redirect back to "came_from" but that is most =
likely
an unsecured http:... adress! You would get the form via SSL, the post =
of
usn/pwd would run over non-encrypted. The change to a hard-coded =
relative
link to "logged_in" keeps the https: in front and the transmission =
secure :)
"logged_in" then checks for "came_from" again and redirects there, =
changing
back to http: if came_from says so.

I'm not done completely yet but expect a howto about this setup =
sometime
next week.

Hope it helps! /Gem

> -----Urspr=FCngliche Nachricht-----
> Von: AM [mailto:list_subscriber@neurobs.com]
> Gesendet: Mittwoch, 16. April 2003 16:55
> An: Zope
> Betreff: [Zope] CookieCrumbler Question
>=20
>=20
> Hi,
> =20
> I use a cookiecrubler with my user folder to authenticate=20
> users on our=20
> site. I would like to put the login_form and logging_in pages in the=20
> https domain.
>=20
> Our regular domain is www.domain.com and I want to use=20
> rewrite rules so=20
> that if
>  - a user types in http://www.domain.com
>  - they get redirected to https://www.domain.com
>  - then get posted out to https://www.domain.com/logging_in which
>  - then redirects to either insecure pages or secure pages=20
> depending on=20
> came_from
>=20
> The location of the pages doesnt change. My question is will=20
> that cause=20
> any problems regarding which domain it authenticated to and=20
> which domain=20
> the authenticated only resources are in (http vs https)
>=20
> TIA
> AM
>=20
> --=20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>  Aseem Mohanty					=09
> 	  =20
>  Neurobehavioral Systems Inc, 828 San Pablo Ave, Albany, CA 94706=20
>  (R) 510 7696011 (M) 510 3014871 (O) 510 5279231		  =09
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=09
>  "I saw `cout' being shifted "Hello world" times to the left and =20
>   stopped right there!!"                        -- Steve Gonedes =20
> =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=20
>=20
>=20
>=20
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -=20
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )
>=20