"Stuart 'Zen' Bishop" wrote
I've put together a functional GenericUserFolder for people to look at and give me feedback before a full release:
Unless I steal someones existing Session product, I'll end up having to store the cookies in a dictionary on the server (as the clients won't be passing a password in a form I can send to authenticate) - I don't think this will cause a problem for any but the largest sites.
I was about to hack UserDb to make it store the user auth details in an SQLSession. The nice thing about this is that it's really really easy to make sure the login times out properly.
(Also, when they re-login, if you've kept the expired session around, you can drop them back where they were).
Anthony
(Also, when they re-login, if you've kept the expired session around, you can drop them back where they were).
A trick I used to do with ASP (yeah, yeah, I know...) was to have my session management and authentication handled inline with the page as an include -- much like a <dtml-var>. If the user didn't have a session or their session had expired, I'd generate a login form, create hidden fields for any POSTed items, and terminate the render there. When they logged in, they'd go straight back to where they were and continue what they were doing.
The alternative would be spending a lot of time composing some kind of posting, only to have all the effort thrown away when you posted and got redirected to the login form because your session had expired. Particularly with one of the popular browsers wiping the original form's contents when you hit the back button, handling things politely was a must.
Regards, Garth.
-- gtk@well.com