[Zope] Sessions and authentication

Gerald Gutierrez gutz@kalador.com
Tue, 06 Mar 2001 16:22:02 -0800


>URL rewriting might be a tad tricky in Zope (I think it's a messy solution
>in any language, actually). Perhaps two cookies: a permanent
>you've-logged-in-before one, and a just-for-this-time one, which provides
>the session ID? Permanent is there to autofill login name and such,
>temporary one has a recent expiration date, and is used to handle
>page-to-page session stuff.

Part of what I'm doing requires talking to cell phones via WML and HDML. 
While the transport is still HTTP, the phones don't, as per the standards, 
support cookies. So cookies cannot be made mandatory. It is a "value added 
feature", as I described, because some WAP gateways support them as an 
extension. Hence this requirement.

>Then, things would be relatively easy to implement in Zope.
>
>I've never used Login Mgr, etc. I'm sure they're better solutions than
>hand-coding this, though!

I agree, but I'm feeling that authentication/authorization in Zope is 
limited to what products are available, and building a new product takes a 
relatively significant amount of time. The requirements I listed are really 
what I need, and if I can't find a user manager that handles them all, then 
I believe that I am out of luck. If there is a user manager that works, but 
I then need a new feature in the auth that isn't supported, then again I'm 
out of luck.

>As far as PHP vs Zope goes: I'd focus on larger scale things than just
>user authentication. How manageable is the PHP solution? I find it _very_
>hairy to work on some else's PHP code. Zope seems more than a tad better
>in this respect.

Yes. abstraction capability (e.g. SQL as methods), acquisition, and other 
features in Zope have led me to investigate it in detail. But like the 
rest, it isn't ideal. I've been able to do everything I have to in J2EE 
because the API it provides is extremely comprehensive, but the drawback to 
it is that one needs to maintain an obscene amount of code from XML 
descriptors to JSPs to servlets to EJBs. I'm just trying to pick out some 
of the more obvious scenarios and see how they all compare.


Is LoginManager the most generalized of the bunch, in terms of the methods 
that can be used to authenticate? Can the LoginManager be used with URL 
rewriting?