[Zope-CMF] using zope authentication outside of Zope...

Shane Hathaway shane@zope.com
Mon, 20 May 2002 14:55:26 -0400


larry_prikockis@natureserve.org wrote:
> I'd like to use a php-based forum (w-agora) as part of a site that will be
> otherwise built in Zope/CMF.
> Is there a relatively simple way of getting at the __AC cookie zope is using
> for authentication from this php application?  
> 
> Or am I going about things the wrong way?   I want to avoid having a user
> already logged into the CMF portal be required to log in again to be
> authenticated for the php-forum.  In other words, I'd like to just pass the
> Zope/CMF credentials along to the other application.  So far, my fiddling
> around with cookies hasn't been fruitful.

You just need to get PHP to decode the __ac cookie, I think.  Its value 
consists of the username and password, joined with a colon, then base 64 
encoded.  PHP probably provides a way almost as easy as Python to decode 
that.  Then perhaps it could authenticate against an LDAP database that 
both Zope and PHP use.

> all clues greatly appreciated...  (as are warnings as to why, from a
> security perspective, I don't want to be doing this... I have a bad feeling
> that if I get it to work, it'll only be by opening up some colossal security
> hole :-(

Naw, you'll only discover how weak the encoded passwords are. ;-)

Shane