Forum OpenACS Development: Re: Remember Me Feature Broken!

Collapse
Posted by Dave Bauer on
Ok I reviewed the patch proposed by victor and it mostly works.

It does not support the "user is identified by an expired login cookie, allow access to public resources and show "Hi User" type message. (ie: amazon.com model).

To do this we could add a parameter AllowUntrustedPublicAccess or something similar that would check the user_id cookie for validity but not expiration.

This would allow a valid,expired cookie to be used with a matching IP address for identity but not authorization.

We could make the ad_user_logout conditional on checking the cookie without expiration, and checking the new parameter. This would allow site owners to decide which behavior makes sense.

For a private site, logging out on expiration (or brower close) makes the most sense. For a ecomerce site, for example, requiring login only to checkout or otherwise POST data to the server makes sense.

Collapse
Posted by Dave Bauer on
Hi, any response to my suggestion to add a new parameter to fix the previous behavior for semi-public sites?
Collapse
Posted by Victor Guerra on
Yes.. at the moment ( even with my patch applied ) users are being logged out when retrieval of the session cookie fails ( for either of the reasons: session cookie does not exist, validation of signature of session cookie fails or session cookie expiration).

So I think that adding this parameter for controlling weather or not to force the logout makes sense. Then, using a combination of the parameters AllowPersistentLoginP and this new parameter ( AllowUntrustedPublicAccess perhaps ) would be enough to cover all possible scenarios.

We could then proceed this way.