From: Greg M. <gmc...@gm...> - 2005-04-02 03:16:08
|
Hey Ben, Sorry I took so long to get back to you, I really do appreciate the help.= =20 I've just been swamped with work. Okay, yeah, I looked at your code and that would definitely seem to be what= =20 I need to do. That you tell me this works for you makes me crazy, since thi= s=20 is how I started out in the first place, but when this approach didn't work= =20 for me I assumed that I was not understanding something. So now I'm back to= =20 square one. I don't know what it could be. I'm going to try and download the latest=20 Webware code and try to code an Auth framework from scratch, minus all of= =20 the other code for the app that's floating around. If I can isolate just th= e=20 framework code, maybe I can figure out what's going wrong. Thanks for the help. All the best, Greg On Mar 31, 2005 1:41 PM, Ben Parker <be...@we...> wrote: >=20 > Ha sorry, you'll see references to "SomeParent" in that code which should= =20 > be > "SiteFrame". I started to convert to your Frame naming convention but > didn't follow through. :) >=20 > > -----Original Message----- > > From: Ben Parker [mailto:be...@we...] > > Sent: Thursday, March 31, 2005 1:38 PM > > To: Greg McClure > > Cc: Webware discussion list > > Subject: RE: [Webware-discuss] Session Cookies Issue > > > > > > > -----Original Message----- > > > From: web...@li... > > > [mailto:web...@li...]On Behalf Of Greg > > > McClure > > > > > > ... > > > > > > My real problem is that I can not get my code to detect session cooki= e > > > deletion. I feel like I'm missing something obvious, but I'm looking > > > for anyone to say, "Here it is. You log in this way and when you > > > delete your cookies, voila, you're just taken right back to the login > > > page." > > > > > > In addition to my system, I also tried the login example provided wit= h > > > WebKit, which had some nice ideas, but when I deleted the session > > > cookie in Firefox I got a worse error than the error I had been > > > getting ... > > > > > > Waving my hands wildly in rough seas, > > > Greg > > > > > > > Hi Greg, I'm new to this thread, let me see if I can shed some light. > > > > It looks like you are checking for existence of a Session when > > really you want to be checking for existence of some property > > within the Session object. It doesn't seem like your code should > > care if there's a Session or not, merely "is this user logged in" or=20 > not. > > > > This is loosely based on some code in production. Although there > > we use a MixIn to define our own Session class, and I've > > hand-waived how you would actually validate the user, but I think > > you'll get the idea: > > > > from WebUtils.Funcs import urlEncode > > import base64, binascii > > > > class AuthFrame(SiteFrame): > > ''' Base class for all servlets requiring auth ''' > > def awake(self, transaction): > > SomeParent.awake(self, transaction) > > if not self.session().value('user', None): > > self.sendRedirectAndEnd('/Login?r=3D' + > > urlEncode(base64.encodestring(self.request().uri()))) > > > > class Login(SiteFrame): > > ''' This page should display a login form, > > which POSTs to itself and invokes the "login" action > > ''' > > def actions(self): > > return SomeParent.actions() + ['login'] > > def login(self): > > # process whatever form arguments you need to login ... > > # let's assume the result is a User object to put in the > > session ... > > validatedUser =3D # some kind of a User object ... > > self.session().setValue('user',validatedUser) > > # Build the redirect URL > > redirecturl =3D req.field('r', None) > > if redirectUrl: > > try: > > redirectUrl =3D base64.decodestring(redirecturl) > > except binascii.Error: > > redirectUrl =3D None > > # Make sure we don't do something silly like > > # send the user back to the Login or Logout page > > # if they clicked a link from the header or something > > if not redirectUrl \ > > or redirectUrl.find('/Login') > -1 \ > > or redirectUrl.find('/Logout') > -1: > > redirectUrl =3D '/' > > # Send the user back where they came from > > self.sendRedirectAndEnd(redirectUrl) > > > > > > Then any page you need secured would be: > > > > from SomeWhere import AuthFrame > > > > class SomeSecureFrame(AuthFrame): > > # define your servlet as normal ... > > # remember to call the parent's awake() if you override awake() ... > > > > > > I use base64 encoding on the redirect argument because I ran into > > trouble with just urlEncode and rare cases of nested redirects. > > You can probably get away without it, but I'll leave that for you. > > > > So there it is. You log in this way and when you delete your > > cookies, voila, you're just taken right back to the login page. :) > > > > Hope that helps, > > Ben >=20 > |