[Zope-PAS] [RFC] Extending CookieAuthHelper

Jim Fulton jim at zope.com
Thu Nov 11 14:04:35 EST 2004

Jens Vagelpohl wrote:
> Hi guys,
> In the course of customer work I would like to either extend the 
> CookieAuthHelper with some useful functionality or, if that's preferred, 
> add a separate Cookie-Auth plugin based on the CookieAuthHelper that has 
> a slightly different behavior.
> In a nutshell, credentials should not be stored in the cookie itself. 
> The proposed changes involve storing a simple key, or "ticket", in the 
> cookie and storing the credentials in the user's session under that 
> ticket key.

FWIW, at the Isar sprint, session-based credential-extraction and
challenge plugins were written for the Zope 3 PAS.  I like this concept
very much.

WRT sessions, it is a goal of mine for Zope 3 sessions that they be ubiquitous
and storable over ZEO. This means that we choose not to write to them very
often. :)  This alows us to *count* on them being there.

> Also, the lifespan of the cookie should be configurable on the plugin 
> and there should be a "logout" method that can be called from user 
> space/untrusted code to effect cookie expiration.

You can't just use the session-timeout mechanism for that?
That certainly makes things simpler.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Zope-PAS mailing list