Hello,
I currently use identity for basic login authentication and also include identity checks in some AJAX request methods (my app is a single page that loads with all other updates being AJAX calls), and my app has been developing nicely. Last night, however, I realized that if I login as User1 in Tab1 of a browser and then login as User2 in Tab2 of a browser that I need to detect this and make sure that User1 gets logged out forcefully the next time any action is attempted (like GMail does), because otherwise, I have some security issues on my hands: For example, after User2 is logged in, User1's actions are able to do things that "bleed" into User2's data and settings. This is because calls in controller use identity.current.user.id for finding/changing things, and at this point, identity.current.user.id apparently refers to User2. User1 still has an open window that's been authenticated, however, so this is where the security problem comes in. I've tried digging in the identity source code and researching sessions with turbogears all over the net, but I'm not really sure what to do here. Two specific questions: 1) Should I be using cherrypy's session mechanism to somehow detect that another login has occurred and use this to force User1 back to the login page? Or does identity do this already somehow and I just don't know how to use it properly? (This approach is probably fine for my situation and what GMail appears to do.) How would I go about implementing this? I have session.filter_on=True in my dev and prod files, but beyond that am a little confused by how to use it properly to detect this situation. It might also be notable that I am using visit tracking via cookies with visits set to practically never expire in my app.cfg file 2) If I wanted to, how would I go about allowing multiple users to all share the same browser to all be logged in at the same time to my app? I think that in this case, I would have to be keeping track of sessions for sure somehow? Would this be cleaner or easier to do than the former approach? Clearly, I'm not to sure of what the exact differences between session and identity and how to apply them here, but I am continuing to do research. Could anyone comment in the meanwhile? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears?hl=en -~----------~----~----~----~------~----~------~--~---
