[Zope-PAS] [RFC] Extending CookieAuthHelper

Jens Vagelpohl jens at dataflake.org
Fri Nov 12 04:03:13 EST 2004

Looking at this a little more a few questions come to mind. First of 
all, would it be considered a "normal" use case that someone would want 
to have both the CookieAuthHelper and the SessionAuthHelper plugins 
running at the same time? I'm thinking they both could be replaced by a 
single plugin.

Both CookieAuthHelper and SessionAuthHelper implement 
ILoginPasswordHostExtraction, ICredentialsUpdate and ICredentialsReset. 
The CookieAuthHelper is also a IChallengePlugin. It seems to me that 
they're both about extracting and squirreling away user credentials. So 
imagine a combined plugin, call it for lack of a better name 
"CredentialsStorage" plugin. The admin can choose where to store the 
credentials after extraction:

- in a separate authentication cookie
- in the user's session (safely, as per Tino's idea)
- <insert your bright storage ideas here>

It also has some additional knobs that were already identified as 
desirable which only really apply if you use a separate authentication 
cookie because the sessioning mechanism has its own cookie and timeout 
handling that will be used:

- specify cookie lifetime
- specify cookie name
- mandate sending the cookie via HTTPS

It would retain the CookieAuthHelper challenge bits of course, and it 
would sprout a new user-space-accessible "logout" method so the 
respective user can invalidate the credentials and thus "log out".

How does that sound for everyone?


More information about the Zope-PAS mailing list