Ticket #2421 (reopened enhancement)

Opened 9 months ago

Last modified 3 months ago

No apparent way to implement "remember me" into a login form

Reported by: seedifferently Assigned to:
Priority: normal Milestone: 2.1
Component: TurboGears Version: trunk
Severity: normal Keywords:
Cc:

Description

Currently the default repoze.who implementation keeps a login active during the duration of the session. As soon as the session is closed, the auth info is lost. Having a "remember me" checkbox is a common option on logins to keep the auth information longer than the duration of the session. This way the login can be skipped during later visits.

When trying to implement this for a client today, I spent several hours digging around for an optimal solution before finally throwing an embarrassingly terrible monkey-patch into the repose.who auth_tkt plugin file.

Can a solution for this please be documented or implemented? Perhaps there's a way to use base_config.sa_auth.form_plugin to inject the "identity" object with a max_age parameter, but I simply could not figure it out or find a helpful lead on it.

Gustavo added this capability to repoze.who several months ago, but I am unsure how it could be implemented on the TG side of things. For reference please see Gustavo's post here: http://groups.google.com/group/turbogears/browse_thread/thread/da23799e9b13e451

I would be more than happy to write documentation on this if a clear solution was available.

Thank you, Seth

Change History

01/26/10 20:18:52 changed by percious

  • milestone changed from __unclassified__ to 2.1.

01/29/10 06:41:59 changed by jorge.vargas

  • status changed from new to closed.
  • resolution set to fixed.

gustavonarea: It's fixed in repoze.what-quickstart v1.0.5: http://code.gustavonarea.net/repoze.what-quickstart/News.html

01/29/10 14:03:43 changed by seedifferently

  • status changed from closed to reopened.
  • resolution deleted.

Jorge,

Not to disagree with you, but unless I'm missing something here, the repoze package updates are only part of the issue and don't exactly close this ticket.

My understanding of Gustavo's update would mean that adding a base_config.sa_auth.cookie_timeout value to your app_cfg.py would cause the login to be remembered for the specified amount of time *every time* a login was done. That is different than in a "remember me" checkbox-form instance where sometimes you want the login remembered, and sometimes you do not (based on the user's input).

Perhaps this is a documentation issue now, but in my opinion there is still "No apparent way to implement 'remember me' into a login form". The cookie timeout setting should be dynamic enough that it can be toggled as easily as processing a checkbox value from a login form.

Thanks, Seth

03/09/10 15:59:31 changed by Gustavo

A few weeks ago I received an email requesting this feature. Here's my response: 

repoze.who-friendlyform is not in charge of remembering the user. This
is why it uses a proper "rememberer" internally -- friendlyform doesn't
read/set cookies.

The place where this should be implemented is in the rememberer used by
friendlyform. So, you can either propose a patch for auth_tkt in
repoze.who or extend friendly form like this:
http://pastebin.com/f7a0abe24

But I'd recommend the first option (fixing it in auth_tkt).