[Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
From: Matt Behrens [EMAIL PROTECTED] Christian Theune wrote: Well I saw the cookie crumbler wish has been added to the list already, and (as i tested it out this moment) don't see what exactly needs to be done than adding it by default to the root userfolder. Well, probably some facelifting to the default login, thats not urgent in any way but if wished i would do that. Well, as far as least-intrusive, CC loses some points by not being compatible with some of the user folders that do their own cookie auth, although that's arguably not CC's fault. Which makes me think of another point. I haven't used Zope 2.5.1 yet, but I understand from some of the traffic on the mailinglists that some have wanted to disable the session tracking/session management beause it interferes with the solutions they allready use for session tracking. And now there is a possible inclusion of another product (CC) that might conflict with other products' cookie functionality. Instead of locking up users with a particular implementation of a solution to a general problem, why not present an API for a) session management and b) cookie management, and then present default products that use these API's to provide solutions? This way it will not be hard to replace both session management and cookie management with other products. Any one else think that this might be a worthwhile idea? If so, I can offer time and effort and my limited knowledge of zope to make this possible. /dario ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
Which makes me think of another point. I haven't used Zope 2.5.1 yet, but I understand from some of the traffic on the mailinglists that some have wanted to disable the session tracking/session management beause it interferes with the solutions they allready use for session tracking. This is possible now. The sessioning solution is very general and everything is parameterized and can be disabled. AFAIK, the complaints I've seen so far have been attributable to folks just misunderstanding the management screens and thinking that the default sessioning configuration is immutable. - C ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
I like the idea of adding cookie auth to the API. The user product choices are convoluted and I think the community would benefit from adding standard capability to the core. Adding to that... my priority would be to extend acl_users folder to allow for built-in storage of additional user properties beyond username/password. Yes, there are user products that do this to a point, but an API that allows you to simply do it in ZODB would be ideal. Maybe someone more familiar could determine a best of integration that addresses acl_users folder extensibility and security to add this to Z2.6. -Trevor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dario Lopez-Kästen Sent: Tuesday, March 05, 2002 3:09 PM To: [EMAIL PROTECTED] Subject: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated) From: Matt Behrens [EMAIL PROTECTED] Christian Theune wrote: Well I saw the cookie crumbler wish has been added to the list already, and (as i tested it out this moment) don't see what exactly needs to be done than adding it by default to the root userfolder. Well, probably some facelifting to the default login, thats not urgent in any way but if wished i would do that. Well, as far as least-intrusive, CC loses some points by not being compatible with some of the user folders that do their own cookie auth, although that's arguably not CC's fault. Which makes me think of another point. I haven't used Zope 2.5.1 yet, but I understand from some of the traffic on the mailinglists that some have wanted to disable the session tracking/session management beause it interferes with the solutions they allready use for session tracking. And now there is a possible inclusion of another product (CC) that might conflict with other products' cookie functionality. Instead of locking up users with a particular implementation of a solution to a general problem, why not present an API for a) session management and b) cookie management, and then present default products that use these API's to provide solutions? This way it will not be hard to replace both session management and cookie management with other products. Any one else think that this might be a worthwhile idea? If so, I can offer time and effort and my limited knowledge of zope to make this possible. /dario ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
Christian Theune wrote: Hmm. I didn't get an answer right now (well i don't find the question again too) if the cookie crumbler would interfere subfolders (distor through acquisition) or would only be active on a sibling userfolder, which he is watching. I'm really not sure. I imagine it could be troublesome. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
As far as I can tell from my experiences at work, the answer is somewhere in between. Yes it acts on all User Folders below the folder containing the CC, but it seems to get a little confused if the DTML scripts (Or at least some of them) are not in the same folder with each UF. Not fully tested as I say, but it is annoying. Didn't there used to be a UF with a checkbox Use cookies in it's properties. Can't this functionality be added to the basic UF API, to extend all UF's rather than adding an acquirable object that we might rather not acquire. Surely the nature of the logon method should be governed by some or all of the following: 1) The site designers wishes. 2) The browsers ability to do Basic Auth properly (Or at all). 3) The users preference (This might be undesirable in some cases). Adrian... -- The difficulty of tactical maneuvering consists in turning the devious into the direct, and misfortune into gain. - Sun Tzu - Original Message - From: Matt Behrens [EMAIL PROTECTED] To: Christian Theune [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 8:32 PM Subject: Re: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated) Christian Theune wrote: Hmm. I didn't get an answer right now (well i don't find the question again too) if the cookie crumbler would interfere subfolders (distor through acquisition) or would only be active on a sibling userfolder, which he is watching. I'm really not sure. I imagine it could be troublesome. ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope ) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] Cookie Crumbler and similar products (Re: Zope 2.6 project updated)
Well. (This answer could also be posted a bit up the thread) I think we see that Cookie Crumbler may not be the solution to what i originally itended - the availability of cookie based authentication in the standard userfolder. Due to its problems, it seems as if it would be best, to extend the first userfolder again (currently a userfolder on the api has no idea about different authentication methods at all, or am i wrong?) but this would break the api - which changed in 2.5 afairk already - again, which i do not desire just for the sake of proper logout of management interface / cookie logins ... but i still believe it would be good to be there. Greetings Christian On Tue, Mar 05, 2002 at 03:31:50PM -0500, Trevor Toenjes wrote: I like the idea of adding cookie auth to the API. The user product choices are convoluted and I think the community would benefit from adding standard capability to the core. Adding to that... my priority would be to extend acl_users folder to allow for built-in storage of additional user properties beyond username/password. Yes, there are user products that do this to a point, but an API that allows you to simply do it in ZODB would be ideal. Maybe someone more familiar could determine a best of integration that addresses acl_users folder extensibility and security to add this to Z2.6. -Trevor -- Christian Theune - [EMAIL PROTECTED] gocept gmbh co.kg - schalaunische strasse 6 - 06366 koethen/anhalt tel.+49 3496 3099112 - fax.+49 3496 3099118 mob. - 0178 48 33 981 reduce(lambda x,y:x+y,[chr(ord(x)^42) for x in 'zS^BED\nX_FOY\x0b']) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )