Hi, "Remember me" (also known as auto-login) feature is missing from identity. Since this functionality is very common, I think it is a good idea to have a "built-in" support for that.
I've started to think how to implement it. The solution I found best is described here as (a). Other possibilities appear after it in this post as (b) and (c). (a) Add a new identity source to the IdentityVisitPlugin, which will try to get a username/password pair from a cookie. The identity_from_form() method will check if the form contains a "remember me" field, and if so, it will send a "remember me" cookie back to the browser, if the login is successful. The password which is stored in the cookie will be encrypted by the password provider encryption algorithm (this fits nicely into the identity design). Logging out should clear the "remember me" cookie, but it seems that logout() is implemented separately in each provider. What's the preferred solution? Should both providers inherit or embed some common object? Here are other possibilities I considered: a. Add a new column to the tg_visit table, which determines whether the visit is permanent or expires after the default timeout (20 minutes). In [1], it was claimed that a visit describes a "contiguous session of user interaction". Although extending the visit cookie life indefinitely is the simplest solution, I think it is for the best, to separate the notion of a visit (as a session), and "remember me" which runs across many visits. b. Add a new database table that maps random keys to users. This is exactly like the visit_identity table with all the code associated to it, but for permanent cookies. This solution may be considered more secure than (a), since the cookie does not reveal any information, encrypted or not, about the user's password (which he might be using in other sites as well). This is described in [3]. References: [1] Ticket #821: http://trac.turbogears.org/turbogears/ticket/821 [2] http://groups.google.com/group/turbogears/browse_thread/thread/2e14ccc36b313ef2/63ff227e9df1d01d [3] http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk -~----------~----~----~----~------~----~------~--~---
