Hey Ben,

Sorry I took so long to get back to you, I really do appreciate the help. I've just been swamped with work.

Okay, yeah, I looked at your code and that would definitely seem to be what I need to do. That you tell me this works for you makes me crazy, since this is how I started out in the first place, but when this approach didn't work for me I assumed that I was not understanding something. So now I'm back to square one.

I don't know what it could be. I'm going to try and download the latest Webware code and try to code an Auth framework from scratch, minus all of the other code for the app that's floating around. If I can isolate just the framework code, maybe I can figure out what's going wrong.

Thanks for the help.

All the best,
Greg

On Mar 31, 2005 1:41 PM, Ben Parker <ben@wellspent.org> wrote:
Ha sorry, you'll see references to "SomeParent" in that code which should be
"SiteFrame".  I started to convert to your Frame naming convention but
didn't follow through. :)

> -----Original Message-----
> From: Ben Parker [mailto:ben@wellspent.org]
> Sent: Thursday, March 31, 2005 1:38 PM
> To: Greg McClure
> Cc: Webware discussion list
> Subject: RE: [Webware-discuss] Session Cookies Issue
>
>
> > -----Original Message-----
> > From: webware-discuss-admin@lists.sourceforge.net
> > [mailto:webware-discuss-admin@lists.sourceforge.net]On Behalf Of Greg
> > McClure
> >
> > ...
> >
> > My real problem is that I can not get my code to detect session cookie
> > deletion. I feel like I'm missing something obvious, but I'm looking
> > for anyone to say, "Here it is. You log in this way and when you
> > delete your cookies, voila, you're just taken right back to the login
> > page."
> >
> > In addition to my system, I also tried the login example provided with
> > WebKit, which had some nice ideas, but when I deleted the session
> > cookie in Firefox I got a worse error than the error I had been
> > getting ...
> >
> > Waving my hands wildly in rough seas,
> > Greg
> >
>
> Hi Greg, I'm new to this thread, let me see if I can shed some light.
>
> It looks like you are checking for existence of a Session when
> really you want to be checking for existence of some property
> within the Session object. It doesn't seem like your code should
> care if there's a Session or not, merely "is this user logged in" or not.
>
> This is loosely based on some code in production. Although there
> we use a MixIn to define our own Session class, and I've
> hand-waived how you would actually validate the user, but I think
> you'll get the idea:
>
> from WebUtils.Funcs import urlEncode
> import base64, binascii
>
> class AuthFrame(SiteFrame):
>     ''' Base class for all servlets requiring auth '''
>     def awake(self, transaction):
>         SomeParent.awake(self, transaction)
>         if not self.session().value('user', None):
>             self.sendRedirectAndEnd('/Login?r=' +
> urlEncode(base64.encodestring(self.request().uri())))
>
> class Login(SiteFrame):
>     ''' This page should display a login form,
>         which POSTs to itself and invokes the "login" action
>     '''
>     def actions(self):
>         return SomeParent.actions() + ['login']
>     def login(self):
>         # process whatever form arguments you need to login ...
>         # let's assume the result is a User object to put in the
> session ...
>         validatedUser = # some kind of a User object ...
>         self.session().setValue('user',validatedUser)
>         # Build the redirect URL
>         redirecturl = req.field('r', None)
>         if redirectUrl:
>             try:
>                 redirectUrl = base64.decodestring(redirecturl)
>             except binascii.Error:
>                 redirectUrl = None
>         # Make sure we don't do something silly like
>         # send the user back to the Login or Logout page
>         # if they clicked a link from the header or something
>         if not redirectUrl \
>         or redirectUrl.find('/Login') > -1 \
>         or redirectUrl.find('/Logout') > -1:
>             redirectUrl = '/'
>         # Send the user back where they came from
>         self.sendRedirectAndEnd(redirectUrl)
>
>
> Then any page you need secured would be:
>
> from SomeWhere import AuthFrame
>
> class SomeSecureFrame(AuthFrame):
>     # define your servlet as normal ...
>     # remember to call the parent's awake() if you override awake() ...
>
>
> I use base64 encoding on the redirect argument because I ran into
> trouble with just urlEncode and rare cases of nested redirects.
> You can probably get away without it, but I'll leave that for you.
>
> So there it is. You log in this way and when you delete your
> cookies, voila, you're just taken right back to the login page. :)
>
> Hope that helps,
> Ben