I was just experimenting with adding a token to the auth_tkt cookie
but I think the current implementation is incorrect.
The repoze.who code is trying to handle a string or a list by
converting a list into a comma-separated string before calling paste's
auth_tkt. However, Paste is documented as expecting "a list of
strings". As a result, repoze.who gets it wrong whatever you pass as
* 'foo' is added to the cookie as 'f,o,o'; should be 'foo'
* ['foo'] is added to the cookie as 'f,o,o'; should be 'foo'
* ['foo', 'bar'] is added to the cookie as 'f,o,o,,,b,a,r'; should be 'foo,bar'
(Paste also allows a token containing a comma which really screws
things up at parse time but that's a different matter ;-)
I'm not sure anyone can be using tokens in their current state so I
suggest repoze.who always treats tokens as a list of strings to match
Paste. I'm happy to send a patch for that but wanted to check you
agreed with the reasoning first.
Repoze-dev mailing list