[Zope-PAS] Re: [RFC] Extending CookieAuthHelper

Chris McDonough chrism at plope.com
Thu Nov 11 13:17:50 EST 2004

There is apparently already an extraction plugin for session auth in PAS
within SessionAuthHelper.py .  It seems to lack forms at the moment.

On Thu, 2004-11-11 at 12:08, Tres Seaver wrote:
> Jens Vagelpohl wrote:
> > Hi guys,
> > 
> > In the course of customer work I would like to either extend the 
> > CookieAuthHelper with some useful functionality or, if that's preferred, 
> > add a separate Cookie-Auth plugin based on the CookieAuthHelper that has 
> > a slightly different behavior.
> > 
> > In a nutshell, credentials should not be stored in the cookie itself. 
> > The proposed changes involve storing a simple key, or "ticket", in the 
> > cookie and storing the credentials in the user's session under that 
> > ticket key.
> -1 on requiring sessions as the default behavior;  it won't work by 
> default in a cluster, unless the sessions machinery is configured to use 
> a ZEO storage.  I think this part should be in a subclass.
> > Also, the lifespan of the cookie should be configurable on the plugin 
> > and there should be a "logout" method that can be called from user 
> > space/untrusted code to effect cookie expiration.
> +1 for both of these.
> > Like I said, this could be done by extending the CookieAuthHelper or by 
> > basing a new plugin on it. What are peoples' preferences or suggestions?
> Tres.

More information about the Zope-PAS mailing list