Thanks for you answer, Carsten ! Details below :
Carsten Ziegeler wrote:
Olivier Billard wrote:
Hi cocooners !
For a project, I must have a unique authentication per user.
If I have well understood, currently, the auth-fw is based on session existency to check if a user is authenticated.
But it doesn't prevent users to use several browsers (and/or browser windows) on different locations to authenticate twice.
I had a discussion with Sylvain (many thanks to him !), that proposed to use the org.apache.cocoon.environment.Context to store a map of authenticated users, as a reference to check for extra authentication.
It would be very interesting if it could be embeded into, maybe a org.apache.cocoon.webapps.authentication.components.Authentica
tor, to fit the actual auth-fw. And in addition the "user authentication context" stored in the context map should be aware of session invalidation, to clear itself from the map, and maybe deal with some other cleaning (two asses kicked with one foot ;)).
Is this the right way to go ? Is there another better way ?
Good questions :)
From your description I guess that when a user uses a second browser the user has to authenticate again.
Yes.
It is not possible to know that this user is the same one than someone else who has already logged in. Or do I oversee something?
No you're right, and that exactly the problem :)
You can write your own Authenticator to test if this user is already logged in - for example by storing the information in the context. But of course this user gets his own session and there his own session context where data might be stored. If you want that this two users (who are actually the same :) ) share the same data you have to do this yourself and store/retrieve the data from the appropriate places.
Since I don't want any user to try to login without disabling previous session, no problem here :)
I think you can handle the invalidation using a session listener.
Thanks for confirming the idea ! I'll go this way !
-- Olivier
