Return-Path: <ulim@denic.de>
Mailing-List: contact cocoon-users-help@xml.apache.org; run by ezmlm
Delivered-To: mailing list cocoon-users@xml.apache.org
Received: (qmail 13317 invoked from network); 13 Jul 2000 10:26:23 -0000
Received: from frankfurt.denic.de (HELO notes.denic.de) (194.246.96.101)
  by locus.apache.org with SMTP; 13 Jul 2000 10:26:23 -0000
Received: from denic.de ([192.168.0.187])
          by notes.denic.de (Lotus Domino Version 5.0.2c (Intl))
          with ESMTP id 2000071312252204:272 ;
          Thu, 13 Jul 2000 12:25:22 +0200
Sender: ulim
Message-ID: <396D99F0.D275BE83@denic.de>
Date: Thu, 13 Jul 2000 12:29:04 +0200
From: Ulrich Mayring <ulim@denic.de>
Organization: DENIC eG
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.12-32 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: cocoon-users@xml.apache.org
Subject: Re: create-session attribute of xsp:page
References: <396C9632.3CB0D8AC@msdw.com> <p0432041eb593307e258c@[192.168.0.2]>
X-MIMETrack: Itemize by SMTP Server on notes/Denic(Version 5.0.2c (Intl)|08
 Februar 2000) at
 13.07.2000 12:25:22,
	Serialize by Router on notes/Denic(Version 5.0.2c (Intl)|08 Februar 2000) at
 13.07.2000 12:25:34,
	Serialize complete at 13.07.2000 12:25:34
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii

Jeremy Quinn wrote:
> 
> You will notice that the <xsp:page/> tag can take an optional
> "create-session" attribute, that you can set to "true".

I have written my own session handling, because I want to authenticate
against a database. Thus I don't want to automatically create a new
session, but only if authentication was successful. If it wasn't
successful I don't need a new session, I just do a redirect to the login
page.

This has the advantage that no usernames and passwords appear anywhere
in my XML files, they are stored in the database. And all my sensitive
pages are protected, no matter where they are located, because they
redirect to the login page, if there is no session. Thus I have taken
authentication completely away from the filesystem and the webserver, I
do everything against a database, which probably is much harder to hack
(the database being behind a Firewall, too).

If anyone is interested in this scheme, just ask me. I am currently
wondering if I can put it in a taglib and contribute it. It can't run
out of the box, due to the many different databases out there, but I
could provide a way to set database driver and URL with a taglib.

Ulrich

-- 
Ulrich Mayring
DENIC eG, Systementwicklung