cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olivier Billard <>
Subject Re: [Authentication-fw] Per-user unique authentication
Date Wed, 09 Jun 2004 14:47:25 GMT
Thanks for you answer, Carsten !
Details below :

Carsten Ziegeler wrote:
> Olivier Billard wrote:
>>Hi cocooners !
>>For a project, I must have a unique authentication per user.
>>If I have well understood, currently, the auth-fw is based on 
>>session existency to check if a user is authenticated.
>>But it doesn't prevent users to use several browsers (and/or browser
>>windows) on different locations to authenticate twice.
>>I had a discussion with Sylvain (many thanks to him !), that 
>>proposed to use the org.apache.cocoon.environment.Context to 
>>store a map of authenticated users, as a reference to check 
>>for extra authentication.
>>It would be very interesting if it could be embeded into, 
>>maybe a 
>>tor, to fit the actual auth-fw. And in addition the "user 
>>authentication context" stored in the context map should be 
>>aware of session invalidation, to clear itself from the map, 
>>and maybe deal with some other cleaning (two asses kicked 
>>with one foot ;)).
>>Is this the right way to go ?
>>Is there another better way ?
> Good questions :) 
> From your description I guess that when a user uses a second browser
> the user has to authenticate again.


> It is not possible to know that this user is the same one than someone else who has already
logged in.
> Or do I oversee something?

No you're right, and that exactly the problem :)

> You can write your own Authenticator to test if this user is already
> logged in - for example by storing the information in the context.
> But of course this user gets his own session and there his own
> session context where data might be stored.
> If you want that this two users (who are actually the same :) ) share
> the same data you have to do this yourself and store/retrieve the
> data from the appropriate places.

Since I don't want any user to try to login without disabling previous 
session, no problem here :)

> I think you can handle the invalidation using a session listener.

Thanks for confirming the idea !
I'll go this way !


View raw message