Here's one ugly hack solution to the problem that appears to work and
doesn't require any additional code:
<!-- authentication rule for members-only embedded elements -->
<element id="AuthMemberEmbedded"
extends="rife/authenticated/database.xml">
<property name="template_name">authentication.empty</property>
<property name="role">member</property>
<property name="authvar_type">cookie</property>
<property
name="datasource"><datasource>postgresql</datasource></property>
<submission name="credentials" scope="global">
<param name="login"/>
<param name="password"/>
<param name="remember"/>
</submission>
<childtrigger name="authid"/>
<incookie name="rememberid"/>
<outcookie name="rememberid"/>
</element>
<!-- embedded element that logs the user in from a remembered
session -->
<group inherits="AuthMemberEmbedded">
<element id="RestoreRememberedSession"
file="rife/template/print.xml">
<property name="name">authentication.empty</property>
</element>
</group>
I put "${v ELEMENT:.RestoreRememberedSession/}" in my blueprint.html
file. The "authentication.empty" template is just what the name implies,
an empty file. Now the embedded element gets evaluated on every page
hit, and if it needs to restore a session using the rememberid, that
happens automatically. Since my home page implementation class fetches
the home page template (and thus evaluates its embedded elements) before
doing the check to see if the user is logged in, this gives me the
behavior I want.
EXCEPT! This hack seems to create a brand new session for every page
hit. Every page sets a new rememberid cookie. That appears to be
harmless, but in production it'll be no good since it means extra
database hits to maintain the AuthRemembered table. So I'd still like a
better solution than this.
-Steve
Steven Grimm wrote:
My home page has some personalized content that I show when a known
user visits without requiring them to log in on each visit. But right
now when I visit the home page with an expired authid cookie (or no
authid at all, but with a valid rememberid cookie), I get the
anonymous view. Then I click on my "My Account" link and the system
generates a new authid for me based on my rememberid cookie. If I then
go back to the home page I see the personalized version.
Am I correct in concluding that the "remember me" feature only creates
a new authentication session when the user attempts to visit an
authenticated element, but doesn't have any effect on identified
elements? Is that intended behavior or a bug? If it's intended, is
there a configuration option to get auto session creation on
identified elements too?
Barring such an option, is there a better approach than maintaining my
own "user ID" cookie that's not used by RIFE's authentication code?
That seems like the obvious solution to me at this point but maybe
there's a better way.
-Steve
_______________________________________________
Rife-users mailing list
[email protected]
http://lists.uwyn.com/mailman/listinfo/rife-users
_______________________________________________
Rife-users mailing list
[email protected]
http://lists.uwyn.com/mailman/listinfo/rife-users
