[Zope-CMF] auto login

Tres Seaver tseaver@palladion.com
Wed, 1 Aug 2001 13:22:35 -0400 (EDT)


On Wed, 1 Aug 2001, Thomas Olsen wrote:

> Is there anyway I can "auto login" to a cmf site? Using normal
> http auth one can do http://<user>:<password>@site.net/
> 
> Can I do something similar with the CMF?
>
> I'm asking this because I want to use an applet for editing
> Documents and not all browsers handles authenticated sessions
> very well. I guess it has something to do with them not sending
> the cookie data when making a request via an applet.

RFC 1738 (http://RFC.net/rfc1738.html) only permits the
"user:password@" bit for FTP URLs;  some browsers try to emulate
it for HTTP, but it is definitely non-standard.

If the applet can be configured to do HTTP Basic Auth, then you
just need to suppress the "eager cookie login" part of the
CookieCrumbler, in which the CC grabs Unauthorized exceptions and
redirects the request to the login form.  You can disable this
feature by deleting the "Auto-login page ID" property of the CC.
 
> This brings me to my next question: How do I (if possible) get
> a users password? Or is there a more elegant way of doing this?

Best practice says that your application should not need
to grab the user's password.  The applet needs to be smart enough
to prompt for a userid / password when challenged.  You might be
able to ask the CookieCrumbler for the current user's token, and
then work out a way to pass it to the applet as an argument.

Tres.
-- 
===============================================================
Tres Seaver                               tseaver@palladion.com