> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Greg
> McClure
>
> ...
>
> My real problem is that I can not get my code to detect session cookie
> deletion. I feel like I'm missing something obvious, but I'm looking
> for anyone to say, "Here it is. You log in this way and when you
> delete your cookies, voila, you're just taken right back to the login
> page."
>
> In addition to my system, I also tried the login example provided with
> WebKit, which had some nice ideas, but when I deleted the session
> cookie in Firefox I got a worse error than the error I had been
> getting ...
>
> Waving my hands wildly in rough seas,
> Greg
>
Hi Greg, I'm new to this thread, let me see if I can shed some light.
It looks like you are checking for existence of a Session when really you
want to be checking for existence of some property within the Session
object. It doesn't seem like your code should care if there's a Session or
not, merely "is this user logged in" or not.
This is loosely based on some code in production. Although there we use a
MixIn to define our own Session class, and I've hand-waived how you would
actually validate the user, but I think you'll get the idea:
from WebUtils.Funcs import urlEncode
import base64, binascii
class AuthFrame(SiteFrame):
''' Base class for all servlets requiring auth '''
def awake(self, transaction):
SomeParent.awake(self, transaction)
if not self.session().value('user', None):
self.sendRedirectAndEnd('/Login?r=' +
urlEncode(base64.encodestring(self.request().uri())))
class Login(SiteFrame):
''' This page should display a login form,
which POSTs to itself and invokes the "login" action
'''
def actions(self):
return SomeParent.actions() + ['login']
def login(self):
# process whatever form arguments you need to login ...
# let's assume the result is a User object to put in the session ...
validatedUser = # some kind of a User object ...
self.session().setValue('user',validatedUser)
# Build the redirect URL
redirecturl = req.field('r', None)
if redirectUrl:
try:
redirectUrl = base64.decodestring(redirecturl)
except binascii.Error:
redirectUrl = None
# Make sure we don't do something silly like
# send the user back to the Login or Logout page
# if they clicked a link from the header or something
if not redirectUrl \
or redirectUrl.find('/Login') > -1 \
or redirectUrl.find('/Logout') > -1:
redirectUrl = '/'
# Send the user back where they came from
self.sendRedirectAndEnd(redirectUrl)
Then any page you need secured would be:
from SomeWhere import AuthFrame
class SomeSecureFrame(AuthFrame):
# define your servlet as normal ...
# remember to call the parent's awake() if you override awake() ...
I use base64 encoding on the redirect argument because I ran into trouble
with just urlEncode and rare cases of nested redirects. You can probably get
away without it, but I'll leave that for you.
So there it is. You log in this way and when you delete your cookies, voila,
you're just taken right back to the login page. :)
Hope that helps,
Ben
-------------------------------------------------------
This SF.net email is sponsored by Demarc:
A global provider of Threat Management Solutions.
Download our HomeAdmin security software for free today!
http://www.demarc.com/info/Sentarus/hamr30
_______________________________________________
Webware-discuss mailing list
Webware-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/webware-discuss
