[Zope-CMF] Re: Understanding the login mechanism

Gitte Wange gitte at mmmanager.org
Thu Oct 9 08:37:42 EDT 2003


On Thu, 09 Oct 2003 13:17:45 +0100, Seb Bacon wrote:

> Gitte Wange wrote:
>> On Thu, 09 Oct 2003 12:36:37 +0100, Toby Dickenson wrote:
>> 
>> 
>>>On Thursday 09 October 2003 12:28, Gitte Wange wrote:
>>>
>>>
>>>>I have 2 sites - mainsite.com and remotesite.com. User gitte logs into
>>>>remotesite.com
>>>
>>>>Then the user goes to mainsite.com
>>>
>>>By following a link on remotesite? It could munge a login transfer token into 
>>>the url.
>> 
>> 
>> Yes - sorry I left that little thing out :-)
>> The user gitte goes to mainsite.com by clicking on a link in a list that
>> is created from a rss feed (syndication).
>> At this point I pass along the username to mainsite.com.
>> If people tries to manipulate the url and enter another username, they
>> will not get logged-in because they are not logged into remotesite.com
>> with that username.
>> I'm not sure if it's a good idea to pass along a login token with the url?
>> (Like the __ac cookie)
> 
> The __ac cookie is just the base64 encoded version of the username and 
> password, as is passed around by Basic auth.  It's only as secure as 
> your protocol, so if you're using https it's pretty secure, and if 
> you're not using https, it's no less secure than passing the token in 
> HTTP headers, which you're already doing.

Okay - I know the __ac cookie is just an encoded version of the login
information. It is easily decoded - and that's why I don't want it in a
link. But that could be a solution (then I have both the username and the
password present on mainsite.com)
Í have tried to get the cookies from remotesite.com in all sorts of ways -
I just tried calling a simple python script on remotesite.com that just
returns the request object. Do I need to say that it returned Anonymous
User as AUTHENTICATED_USER?

>> And if I passed along the __ac cookie - is there somehow I can verify in
>> remotesite.com that the __ac is really valid and that user is logged in ?
> 
> You'll need the same userfolder data in both sites.  You could perhaps 
> use dbtab to mount a ZEO server for the userfolder, or you could just 
> host both sites on the same server.  To verify that the user is 
> currently logged in, the only thing I can think of is to use a Transient 
> Object Container to maintain a list of currently logged in users with an 
> expiry time of maybe 10 minutes.  You'd touch the list on each access of 
> the site using, say, a modified cookiecrumber.

In my test setup I have mainsite.com and remotesite.com running on the
same server - and they are both CMF sites.
But in the solution I need in the end, remotesite.com will be some PHP
site which I have no control over (other then finding out how they login
people and installing a script on their server that can tell me if a user
is logged in or not).
If they use sessions to track logged-in people I guess it will be easier
to track if a user is logged in ?
For zope sites I guess I will need to pass along the __ac cookie - yirks!

> Hmm, does that make sense?  Caffeine overdose today.

It made sense - unfortunately I cannot use that solution :-(
Maybe if I drink some more coffee I can get all sorts of weird ideas too
:-)

-- 
Gitte Wange
Technical Manager

Email: gitte at mmmanager.org
Web: http://www.mmmanager.org
Tlf: +45 36 46 20 02

Everything is fine except I have about 8,564 questions about
how to integrate the client side scripting, server side scripting,
and all things in between.

    -- Joseph Griffin: Zope mailing list, Setting up Zope.





More information about the Zope-CMF mailing list