[Zope-CMF] Re: Re: Understanding the login mechanism

[Seb Bacon]

Gitte Wange wrote:
> On Thu, 09 Oct 2003 12:36:37 +0100, Toby Dickenson wrote:
> 
> 
>>On Thursday 09 October 2003 12:28, Gitte Wange wrote:
>>
>>
>>>I have 2 sites - mainsite.com and remotesite.com. User gitte logs into
>>>remotesite.com
>>
>>>Then the user goes to mainsite.com
>>
>>By following a link on remotesite? It could munge a login transfer token into 
>>the url.
> 
> 
> Yes - sorry I left that little thing out :-)
> The user gitte goes to mainsite.com by clicking on a link in a list that
> is created from a rss feed (syndication).
> At this point I pass along the username to mainsite.com.
> If people tries to manipulate the url and enter another username, they
> will not get logged-in because they are not logged into remotesite.com
> with that username.
> I'm not sure if it's a good idea to pass along a login token with the url?
> (Like the __ac cookie)

The __ac cookie is just the base64 encoded version of the username and 
password, as is passed around by Basic auth.  It's only as secure as 
your protocol, so if you're using https it's pretty secure, and if 
you're not using https, it's no less secure than passing the token in 
HTTP headers, which you're already doing.

> And if I passed along the __ac cookie - is there somehow I can verify in
> remotesite.com that the __ac is really valid and that user is logged in ?

You'll need the same userfolder data in both sites.  You could perhaps 
use dbtab to mount a ZEO server for the userfolder, or you could just 
host both sites on the same server.  To verify that the user is 
currently logged in, the only thing I can think of is to use a Transient 
Object Container to maintain a list of currently logged in users with an 
expiry time of maybe 10 minutes.  You'd touch the list on each access of 
the site using, say, a modified cookiecrumber.

Hmm, does that make sense?  Caffeine overdose today.


seb