[Zope-PAS] [RFC] Extending CookieAuthHelper

Chris McDonough chrism at plope.com
Fri Nov 12 10:46:54 EST 2004

On Fri, 2004-11-12 at 04:03, Jens Vagelpohl wrote:
> Looking at this a little more a few questions come to mind. First of 
> all, would it be considered a "normal" use case that someone would want 
> to have both the CookieAuthHelper and the SessionAuthHelper plugins 
> running at the same time? I'm thinking they both could be replaced by a 
> single plugin.

I'm -0 on this idea.  It seems to make sense for each to be as simple as
possible so someone approaching each for the first time needn't mentally
parse out the half of the thing that he doesn't need.  Fewer knobs
spread across more plugins is more desirable to me, don't know what
other people think.

Mostly unrelated, but I think PAS itself should sprout a
"resetCredentials" method that can be called by app code that turns
around and calls all of its consituent plugins' resetCredentials
methods.  It's too hard to "log someone out" in a general way right
now.  This is hampered by the fact that the http basic auth plugin
immediately raises unauthorized in its resetCredentials implementation;
it maybe should just set a 401 status and lock it instead.

- C

> Both CookieAuthHelper and SessionAuthHelper implement 
> ILoginPasswordHostExtraction, ICredentialsUpdate and ICredentialsReset. 
> The CookieAuthHelper is also a IChallengePlugin. It seems to me that 
> they're both about extracting and squirreling away user credentials. So 
> imagine a combined plugin, call it for lack of a better name 
> "CredentialsStorage" plugin. The admin can choose where to store the 
> credentials after extraction:
> - in a separate authentication cookie
> - in the user's session (safely, as per Tino's idea)
> - <insert your bright storage ideas here>
> It also has some additional knobs that were already identified as 
> desirable which only really apply if you use a separate authentication 
> cookie because the sessioning mechanism has its own cookie and timeout 
> handling that will be used:
> - specify cookie lifetime
> - specify cookie name
> - mandate sending the cookie via HTTPS
> It would retain the CookieAuthHelper challenge bits of course, and it 
> would sprout a new user-space-accessible "logout" method so the 
> respective user can invalidate the credentials and thus "log out".
> How does that sound for everyone?
> jens
> _______________________________________________
> Zope-PAS mailing list
> Zope-PAS at zope.org
> http://mail.zope.org/mailman/listinfo/zope-pas

More information about the Zope-PAS mailing list