[Authentication-fw] Per-user unique authentication

[Olivier Billard <ob...@jouve.fr>]

Hi cocooners !

For a project, I must have a unique authentication per user.
If I have well understood, currently, the auth-fw is based on session 
existency to check if a user is authenticated.

But it doesn't prevent users to use several browsers (and/or browser 
windows) on different locations to authenticate twice.

I had a discussion with Sylvain (many thanks to him !), that proposed to 
use the org.apache.cocoon.environment.Context to store a map of 
authenticated users, as a reference to check for extra authentication.

It would be very interesting if it could be embeded into, maybe a 
org.apache.cocoon.webapps.authentication.components.Authenticator, to 
fit the actual auth-fw. And in addition the "user authentication 
context" stored in the context map should be aware of session 
invalidation, to clear itself from the map, and maybe deal with some 
other cleaning (two asses kicked with one foot ;)).


Is this the right way to go ?
Is there another better way ?


Many thanks !

--
Olivier Billard

Re: [Authentication-fw] Per-user unique authentication

[Olivier Billard <ob...@jouve.fr>]

Thanks for you answer, Carsten !
Details below :

Carsten Ziegeler wrote:
> Olivier Billard wrote:
> 
>>Hi cocooners !
>>
>>For a project, I must have a unique authentication per user.
>>If I have well understood, currently, the auth-fw is based on 
>>session existency to check if a user is authenticated.
>>
>>But it doesn't prevent users to use several browsers (and/or browser
>>windows) on different locations to authenticate twice.
>>
>>I had a discussion with Sylvain (many thanks to him !), that 
>>proposed to use the org.apache.cocoon.environment.Context to 
>>store a map of authenticated users, as a reference to check 
>>for extra authentication.
>>
>>It would be very interesting if it could be embeded into, 
>>maybe a 
>>org.apache.cocoon.webapps.authentication.components.Authentica
>>tor, to fit the actual auth-fw. And in addition the "user 
>>authentication context" stored in the context map should be 
>>aware of session invalidation, to clear itself from the map, 
>>and maybe deal with some other cleaning (two asses kicked 
>>with one foot ;)).
>>
>>
>>Is this the right way to go ?
>>Is there another better way ?
>>
> 
> Good questions :) 
> 
> From your description I guess that when a user uses a second browser
> the user has to authenticate again.

Yes.

> It is not possible to know that this user is the same one than someone else who has already logged in.
> Or do I oversee something?

No you're right, and that exactly the problem :)


> You can write your own Authenticator to test if this user is already
> logged in - for example by storing the information in the context.
> But of course this user gets his own session and there his own
> session context where data might be stored.
> If you want that this two users (who are actually the same :) ) share
> the same data you have to do this yourself and store/retrieve the
> data from the appropriate places.

Since I don't want any user to try to login without disabling previous 
session, no problem here :)


> I think you can handle the invalidation using a session listener.

Thanks for confirming the idea !
I'll go this way !

--
Olivier

RE: [Authentication-fw] Per-user unique authentication

[Carsten Ziegeler <cz...@s-und-n.de>]

Olivier Billard wrote:
> 
> Hi cocooners !
> 
> For a project, I must have a unique authentication per user.
> If I have well understood, currently, the auth-fw is based on 
> session existency to check if a user is authenticated.
> 
> But it doesn't prevent users to use several browsers (and/or browser
> windows) on different locations to authenticate twice.
> 
> I had a discussion with Sylvain (many thanks to him !), that 
> proposed to use the org.apache.cocoon.environment.Context to 
> store a map of authenticated users, as a reference to check 
> for extra authentication.
> 
> It would be very interesting if it could be embeded into, 
> maybe a 
> org.apache.cocoon.webapps.authentication.components.Authentica
> tor, to fit the actual auth-fw. And in addition the "user 
> authentication context" stored in the context map should be 
> aware of session invalidation, to clear itself from the map, 
> and maybe deal with some other cleaning (two asses kicked 
> with one foot ;)).
> 
> 
> Is this the right way to go ?
> Is there another better way ?
> 
Good questions :) 

>From your description I guess that when a user uses a second browser
the user has to authenticate again. It is not possible to know that
this user is the same one than someone else who has already logged in.
Or do I oversee something?

You can write your own Authenticator to test if this user is already
logged in - for example by storing the information in the context.
But of course this user gets his own session and there his own
session context where data might be stored.
If you want that this two users (who are actually the same :) ) share
the same data you have to do this yourself and store/retrieve the
data from the appropriate places.

I think you can handle the invalidation using a session listener.

HTH
Carsten