[Zope] Sessions and authentication

Gerald Gutierrez pozix@home.com
Tue, 06 Mar 2001 20:38:04 -0800


> > - If a user accesses the site, is not logged in, and as the above described
> > cookie, the server looks up that cookie and auto-logs the user in if
> > possible (so he is then logged in without having to type in his username
> > and/or password)
> > - If the user logs out, he cookie is cleared, the random string is
> > invalidated in the databse and the user is not auto-logged in at the next
> > visit.
>
>Ah.. the danger here, of course, is that anyone using that computer is
>automagically logged in as that user.  This is handy, and in most cases
>harmless... but I have been stung by this before, with login mixups occuring.

I understand the pros and cons; the question here is /how/ to do all this 
in the context of Zope. It seems I'm more or less confined to use one of a 
number of User Folder replacements. Is there a user folder that can do all 
of the following:

- do form login
- use URL rewriting to keep tracked of a logged in user
- do automatic redirection when a restricted page is accessed
- use an optional cookie for "persistent logins"
- has customizable, flexible rules for authenticating against a database

? I've been unable to make anything work close to this yet in Zope. I'm 
looking for some pointers on /how/ I must approach this problem. What 
products must I use? Are there peculiarities in their configuration to get 
this to work? Must I write some custom code?


I would appreciate any help that anyone can give.

Thanks.

Gerald.