On 1/5/11 1:29 PM, David Glick wrote: > On 1/5/11 8:20 AM, Alex Clark wrote: >> All, >> >> Happy New Year! >> >> This must be my lucky few months; I get to deploy every PAS plug-in ever >> written in Time, it seems. >> >> I have a client that wants "IP auth" meaning that they want to allow >> their clients to login to their Plone website via their IP address alone. >> >> Based on my experience with >> http://pypi.python.org/pypi/Products.NoDuplicateLogin/1.0a1 (which is in >> production but by all accounts a kludge) I'm thinking something that >> uses: http://pypi.python.org/pypi/collective.beaker/1.0b2 this time around. >> >> Thoughts? > I don't understand why sessions need to be involved if you're > authenticating based on IP address.
Maybe they don't need to be. If I grab the IP address out of the header and check it against a local utility (or config file even), and in cases of a match return a user inside authenticateCredentials, is that all I need to do? At this point IIUC, plone.session sets a mod_tkt_auth style cookie and "Plone does the rest"¹. Alex ¹Plone doing the rest in this context means (from the mod_tkt_auth website, http://www.openfusion.com.au/labs/mod_auth_tkt/): "ticket is checked by generating an MD5 checksum for the username and any (optional) user data from the ticket together with the requesting IP address and a shared secret available to the server. If the generated MD5 checksum matches the ticket's checksum, the ticket is valid and the request is authorised. Requests without a valid ticket are redirected to a configurable URL which is expected to validate the user and generate a ticket for them." And this is the reason plone.session does not provide "real" sessions, because there is no storage. (Just thinking out loud, again…) > David > ---------- > David Glick > Web Developer > [email protected] > 206.286.1235x32 > > Groundwire: You Are Connected > http://groundwire.org > > Online tools and strategies for the environmental movement. Sign up for > Groundwire News! > http://groundwire.org/email-capture > > Check out our 2010 Website Benchmarks Report. How do you stack up? > http://groundwire.org/resources/articles/2010-website-benchmarks-report -- Alex Clark · http://aclark.net Author · http://aclark.net/admin _______________________________________________ Product-Developers mailing list [email protected] http://lists.plone.org/mailman/listinfo/product-developers
