[Zope-PTK] DISCUSS: Why Zope.org has soft cookies

Kevin Dangoor kid@kendermedia.com
Mon, 17 Jan 2000 16:54:00 -0500


----- Original Message -----
From: "Karl Fast" <karl.fast@pobox.com>
To: <zope-ptk@zope.org>
Sent: Monday, January 17, 2000 4:37 PM
Subject: Re: [Zope-PTK] DISCUSS: Why Zope.org has soft cookies


> > I disagree.  The "password in cleartext on the wire" is the same for
> > HTTP Basic Authenication as it is for cookies.  If people want to
> > discard their login information, all they have to do is click "Logout".
> >
> > The vast, vast majority of sites with identities, IMO, use long-lived
> > cookies, but ask people if it is OK.  People building sites with our
> > software should be able to build sites as "usable" as competitive sites,
> > and have an option to clamp down as they wish.
>
> Sites like Amazon use a two-tiered approach. Whenever I return it
> remembers who I am. No need to enter a password. And it returns
> preferences and recommendations based on that identity. But if I
> want to place an order, view my order history, or do other things
> like that I need to sign on. The login form automatically inserts my
> username (my email address in the case of Amazon) and I need to
> supply my password. More personal information requires
> authentication on a per session basis.

So, maybe what is needed here is a three way switch:

1) Password must be entered for any user activity

2) User prefs can be read without password, but other action requires login

3) User never needs to enter the password

For case two, it would still be useful to have AUTHENTICATED_USER set up (so
that you can get the username, and prefs when prefs exist). Perhaps there
would be a flag to state whether the user has authenticated in this session,
or some such. As an alternative, there could be a different user object for
handling prefs that can be populated with a password, that way
AUTHENTICATED_USER is something that is only properly set when the user has
entered the password.

I could definitely see us going for the two-tiered approach that Karl talks
about.

Kevin