You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by Olivier Billard <ob...@jouve.fr> on 2004/06/09 15:55:24 UTC
[Authentication-fw] Per-user unique authentication
Hi cocooners !
For a project, I must have a unique authentication per user.
If I have well understood, currently, the auth-fw is based on session
existency to check if a user is authenticated.
But it doesn't prevent users to use several browsers (and/or browser
windows) on different locations to authenticate twice.
I had a discussion with Sylvain (many thanks to him !), that proposed to
use the org.apache.cocoon.environment.Context to store a map of
authenticated users, as a reference to check for extra authentication.
It would be very interesting if it could be embeded into, maybe a
org.apache.cocoon.webapps.authentication.components.Authenticator, to
fit the actual auth-fw. And in addition the "user authentication
context" stored in the context map should be aware of session
invalidation, to clear itself from the map, and maybe deal with some
other cleaning (two asses kicked with one foot ;)).
Is this the right way to go ?
Is there another better way ?
Many thanks !
--
Olivier Billard
Re: [Authentication-fw] Per-user unique authentication
Posted by Olivier Billard <ob...@jouve.fr>.
Thanks for you answer, Carsten !
Details below :
Carsten Ziegeler wrote:
> Olivier Billard wrote:
>
>>Hi cocooners !
>>
>>For a project, I must have a unique authentication per user.
>>If I have well understood, currently, the auth-fw is based on
>>session existency to check if a user is authenticated.
>>
>>But it doesn't prevent users to use several browsers (and/or browser
>>windows) on different locations to authenticate twice.
>>
>>I had a discussion with Sylvain (many thanks to him !), that
>>proposed to use the org.apache.cocoon.environment.Context to
>>store a map of authenticated users, as a reference to check
>>for extra authentication.
>>
>>It would be very interesting if it could be embeded into,
>>maybe a
>>org.apache.cocoon.webapps.authentication.components.Authentica
>>tor, to fit the actual auth-fw. And in addition the "user
>>authentication context" stored in the context map should be
>>aware of session invalidation, to clear itself from the map,
>>and maybe deal with some other cleaning (two asses kicked
>>with one foot ;)).
>>
>>
>>Is this the right way to go ?
>>Is there another better way ?
>>
>
> Good questions :)
>
> From your description I guess that when a user uses a second browser
> the user has to authenticate again.
Yes.
> It is not possible to know that this user is the same one than someone else who has already logged in.
> Or do I oversee something?
No you're right, and that exactly the problem :)
> You can write your own Authenticator to test if this user is already
> logged in - for example by storing the information in the context.
> But of course this user gets his own session and there his own
> session context where data might be stored.
> If you want that this two users (who are actually the same :) ) share
> the same data you have to do this yourself and store/retrieve the
> data from the appropriate places.
Since I don't want any user to try to login without disabling previous
session, no problem here :)
> I think you can handle the invalidation using a session listener.
Thanks for confirming the idea !
I'll go this way !
--
Olivier
RE: [Authentication-fw] Per-user unique authentication
Posted by Carsten Ziegeler <cz...@s-und-n.de>.
Olivier Billard wrote:
>
> Hi cocooners !
>
> For a project, I must have a unique authentication per user.
> If I have well understood, currently, the auth-fw is based on
> session existency to check if a user is authenticated.
>
> But it doesn't prevent users to use several browsers (and/or browser
> windows) on different locations to authenticate twice.
>
> I had a discussion with Sylvain (many thanks to him !), that
> proposed to use the org.apache.cocoon.environment.Context to
> store a map of authenticated users, as a reference to check
> for extra authentication.
>
> It would be very interesting if it could be embeded into,
> maybe a
> org.apache.cocoon.webapps.authentication.components.Authentica
> tor, to fit the actual auth-fw. And in addition the "user
> authentication context" stored in the context map should be
> aware of session invalidation, to clear itself from the map,
> and maybe deal with some other cleaning (two asses kicked
> with one foot ;)).
>
>
> Is this the right way to go ?
> Is there another better way ?
>
Good questions :)
>From your description I guess that when a user uses a second browser
the user has to authenticate again. It is not possible to know that
this user is the same one than someone else who has already logged in.
Or do I oversee something?
You can write your own Authenticator to test if this user is already
logged in - for example by storing the information in the context.
But of course this user gets his own session and there his own
session context where data might be stored.
If you want that this two users (who are actually the same :) ) share
the same data you have to do this yourself and store/retrieve the
data from the appropriate places.
I think you can handle the invalidation using a session listener.
HTH
Carsten