On 15 Jul 2012, at 11:13 AM, Ehigie Aito wrote: > only when the session expires according to web2py rules or the user > explicitly logs off
I'm thinking that it's overkill, and more trouble than it's worth, to use web2py's Auth subsystem for this kind of authentication. Track the authentication state in the session, and write your own Auth class that implements what you need. Maybe call it something else to avoid confusion (and you might want to use gluon.tools.Auth for your administrative accounts anyway). A session then has an initial state, a password-sent state, and a logged-in state (plus perhaps some housekeeping, like a failure count). No doubt you *could* hack around gluon.tools.Auth, but it doesn't seem like it'd be less work. > > On Sun, Jul 15, 2012 at 7:12 PM, Jonathan Lundell <[email protected]> wrote: > On 15 Jul 2012, at 11:10 AM, Ehigie Aito wrote: >> Just the telephone number and nothing else. > > And how persistent is the login? At what point do I as a user have to go > through the SMS handshake again? > >> >> On Sun, Jul 15, 2012 at 4:48 PM, Jonathan Lundell <[email protected]> wrote: >> On 15 Jul 2012, at 6:48 AM, Pystar wrote: >>> I am confused on how to implement this strange authentication mechanism and >>> incorporate it into web2py and make it work natively. >>> Take this as an example of how it would work: >>> There is no registration on the site, whenever a user wants to login to >>> perform any action, he clicks in the login button, which takes him to a >>> form where he enters his phone number and a random alphanumeric code is >>> generated and sent to his phone which he now enters and gets authenticated >>> and he can now perform whatever action he wants. >>> How do I get this to play with login_bare() and @auth.requires_login()? >>> >> >> A couple of questions. >> >> Does the user enter anything other than the phone number (and later the >> code) as part of the login/auth process? >> >> How persistent is the login? >> > > >
