[Zope-PAS] [RFC] Extending CookieAuthHelper
jim at zope.com
Thu Nov 11 14:04:35 EST 2004
Jens Vagelpohl wrote:
> Hi guys,
> In the course of customer work I would like to either extend the
> CookieAuthHelper with some useful functionality or, if that's preferred,
> add a separate Cookie-Auth plugin based on the CookieAuthHelper that has
> a slightly different behavior.
> In a nutshell, credentials should not be stored in the cookie itself.
> The proposed changes involve storing a simple key, or "ticket", in the
> cookie and storing the credentials in the user's session under that
> ticket key.
FWIW, at the Isar sprint, session-based credential-extraction and
challenge plugins were written for the Zope 3 PAS. I like this concept
WRT sessions, it is a goal of mine for Zope 3 sessions that they be ubiquitous
and storable over ZEO. This means that we choose not to write to them very
often. :) This alows us to *count* on them being there.
> Also, the lifespan of the cookie should be configurable on the plugin
> and there should be a "logout" method that can be called from user
> space/untrusted code to effect cookie expiration.
You can't just use the session-timeout mechanism for that?
That certainly makes things simpler.
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Zope-PAS