[Zope] Sessions and authentication

Joel Burton jburton@scw.org
Tue, 6 Mar 2001 15:12:19 -0500 (EST)


On Tue, 6 Mar 2001, Gerald Gutierrez wrote:

> - The app would use URL rewriting for session management.
> - When a user accesses the site, he has a session but is not logged in
> - He can log in through a form
> - Some pages can be accessed whether the user is logged in or not, other 
> pages must have the user logged in
> - If the user tries to view a page where he must be logged in, the server 
> forwards automatically to a login form, and goes to that page when he 
> successfully logs in
> - User information is maintained in a database. Rules for matching of 
> usernames and passwords is as yet undetermined (e.g. strings are stripped, 
> compared case insensitively, possibly multiple passwords for a username, 
> with each password authenticating the user into a different role)
> - Once the user is logged in, he is given a cookie with a random string as 
> the value. That string also goes into the database
> - If a user accesses the site, is not logged in, and as the above described 
> cookie, the server looks up that cookie and auto-logs the user in if 
> possible (so he is then logged in without having to type in his username 
> and/or password)
> - If the user logs out, he cookie is cleared, the random string is 
> invalidated in the databse and the user is not auto-logged in at the next 
> visit.

URL rewriting might be a tad tricky in Zope (I think it's a messy solution
in any language, actually). Perhaps two cookies: a permanent
you've-logged-in-before one, and a just-for-this-time one, which provides
the session ID? Permanent is there to autofill login name and such,
temporary one has a recent expiration date, and is used to handle
page-to-page session stuff.

Then, things would be relatively easy to implement in Zope.

I've never used Login Mgr, etc. I'm sure they're better solutions than
hand-coding this, though!

As far as PHP vs Zope goes: I'd focus on larger scale things than just
user authentication. How manageable is the PHP solution? I find it _very_
hairy to work on some else's PHP code. Zope seems more than a tad better
in this respect.

Good luck. If you learn anything about the session management, consider a
HOWTO.
-- 
Joel Burton   <jburton@scw.org>
Director of Information Systems, Support Center of Washington