I've been doing some testing of a new site, and I've used repoze.who and repoze.what for authentication, and authorization respectively. I did notice one unusual behavior with AuthTktCookiePlugin, however. If I log in to the site, I receive an auth_tkt cookie. Once I have that, I drop and recreate the database, as well as cleaning out any server side session data. Having done all that, I imagine that my environment is a clean slate, yet the predicate not_anonymous returns true, even though I haven't logged in yet. That's because the credential data coming from client cookie is entirely trusted. I was imagining some sort of collaboration between the client and server, such that the client cookie was just an index into a session.
Now, I could just write an identifier that uses the session for storage, which would use the two in sync, but I wanted to make sure that: 1) This wasn't a known problem, or 2) there isn't already some other identifier plugin that satisfies my needs.. (The other possibility is just a stricter predicate, is_valid_user, I suppose, but then I'm still trusting the client to tell me who's logged in...) Thanks, Douglas Mayle _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev