[Zope-PAS] Re: [RFC] Extending CookieAuthHelper

Tres Seaver tseaver at zope.com
Thu Nov 11 12:08:16 EST 2004

Jens Vagelpohl wrote:
> Hi guys,
> In the course of customer work I would like to either extend the 
> CookieAuthHelper with some useful functionality or, if that's preferred, 
> add a separate Cookie-Auth plugin based on the CookieAuthHelper that has 
> a slightly different behavior.
> In a nutshell, credentials should not be stored in the cookie itself. 
> The proposed changes involve storing a simple key, or "ticket", in the 
> cookie and storing the credentials in the user's session under that 
> ticket key.

-1 on requiring sessions as the default behavior;  it won't work by 
default in a cluster, unless the sessions machinery is configured to use 
a ZEO storage.  I think this part should be in a subclass.

> Also, the lifespan of the cookie should be configurable on the plugin 
> and there should be a "logout" method that can be called from user 
> space/untrusted code to effect cookie expiration.

+1 for both of these.

> Like I said, this could be done by extending the CookieAuthHelper or by 
> basing a new plugin on it. What are peoples' preferences or suggestions?

Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-PAS mailing list