I've been doing some testing of a new site, and I've used repoze.who  
and repoze.what for authentication, and authorization respectively.  I  
did notice one unusual behavior with AuthTktCookiePlugin, however.  If  
I log in to the site, I receive an auth_tkt cookie.  Once I have that,  
I drop and recreate the database, as well as cleaning out any server  
side session data.  Having done all that, I imagine that my  
environment is a clean slate, yet the predicate not_anonymous returns  
true, even though I haven't logged in yet.  That's because the  
credential data coming from client cookie is entirely trusted.  I was  
imagining some sort of collaboration between the client and server,  
such that the client cookie was just an index into a session.

Now, I could just write an identifier that uses the session for  
storage, which would use the two in sync, but I wanted to make sure  
that: 1) This wasn't a known problem, or 2) there isn't already some  
other identifier plugin that satisfies my needs..

(The other possibility is just a stricter predicate, is_valid_user, I  
suppose, but then I'm still trusting the client to tell me who's  
logged in...)

Douglas Mayle
Repoze-dev mailing list

Reply via email to