[Zope-PAS] Re: [RFC] Extending CookieAuthHelper
tseaver at zope.com
Thu Nov 11 12:08:16 EST 2004
Jens Vagelpohl wrote:
> Hi guys,
> In the course of customer work I would like to either extend the
> CookieAuthHelper with some useful functionality or, if that's preferred,
> add a separate Cookie-Auth plugin based on the CookieAuthHelper that has
> a slightly different behavior.
> In a nutshell, credentials should not be stored in the cookie itself.
> The proposed changes involve storing a simple key, or "ticket", in the
> cookie and storing the credentials in the user's session under that
> ticket key.
-1 on requiring sessions as the default behavior; it won't work by
default in a cluster, unless the sessions machinery is configured to use
a ZEO storage. I think this part should be in a subclass.
> Also, the lifespan of the cookie should be configurable on the plugin
> and there should be a "logout" method that can be called from user
> space/untrusted code to effect cookie expiration.
+1 for both of these.
> Like I said, this could be done by extending the CookieAuthHelper or by
> basing a new plugin on it. What are peoples' preferences or suggestions?
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-PAS