Short description
Sometimes, if I do use a guest system to login to one wiki, it would be nice if I could control the cookie lifetime of this session on this machine. For that case, I would prefer a checkbox or pull down menu of some lifetimes listed in the login form. e.g. 15min, 2h, 4h, 10h, 1 week, always.
That would be something like the dead man switch described at MoinMoinPatch/SecurityString -- ReimarBauer 2006-04-22 08:02:25
Two patches are necessary:
1 --- userform_orig.py 2006-04-18 20:56:56.000000000 +0200
2 +++ userform.py 2006-04-22 09:12:29.340658000 +0200
3 @@ -674,7 +674,19 @@
4 type="password", size="32", name="password",
5 ),
6 ])
7 -
8 +
9 + txt="""
10 +<form>
11 + <input type="radio" name="RememberFor" value="0.25">15min
12 + <input type="radio" name="RememberFor" value="2">2h
13 + <input type="radio" name="RememberFor" value="4">4h
14 + <input type="radio" name="RememberFor" value="10">10h
15 + <input type="radio" name="RememberFor" value="168">1 week
16 + <input type="radio" name="RememberFor" value="87600" checked="87600">always
17 +</form>"""
18 +
19 + self.make_row(_('Remember me'), txt, valign="top")
20 +
21 self.make_row('', [
22 html.INPUT(
23 type="submit", name='login', value=_('Login')
1 --- login_orig.py 2006-04-18 20:55:43.000000000 +0200
2 +++ login.py 2006-04-22 09:12:10.659497968 +0200
3 @@ -9,8 +9,8 @@
4 @copyright: 2006 by Thomas Waldmann
5 @license: GNU GPL, see COPYING for details.
6 """
7 -
8 -from MoinMoin import user, wikiutil, userform
9 +import time
10 +from MoinMoin import user, wikiutil, userform, auth
11 from MoinMoin.Page import Page
12
13 def execute(pagename, request):
14 @@ -36,6 +36,10 @@
15 if islogin: # user pressed login button
16 # Trying to login with a user name and a password
17 # Require valid user name
18 + expires = float(form.get('RememberFor', [''])[0])
19 + request.cfg.cookie_lifetime = expires
20 + auth.deleteCookie(request)
21 +
22 name = form.get('name', [''])[0]
23 if not user.isValidName(request, name):
24 error = _("""Invalid user name {{{'%s'}}}.
25 @@ -46,17 +50,30 @@
26 elif not user.getUserId(request, name):
27 error = _('Unknown user name: {{{"%s"}}}. Please enter'
28 ' user name and password.') % name
29 -
30 - # Require password
31 + # Require password
32 else:
33 password = form.get('password',[None])[0]
34 if not password:
35 error = _("Missing password. Please enter user name and"
36 " password.")
37 else:
38 + u = user.User(request, name=name, password=password,
39 + auth_method='login_userpassword')
40 + u.remember_me = 0 # is not need because of the kind of selection
41 + u.save()
42 + lifetime = int(request.cfg.cookie_lifetime * 3600)
43 + now = time.time()
44 + expires = now + lifetime
45 +
46 + cookie = auth.makeCookie(request, u.id, lifetime, expires)
47 + # Set cookie
48 + request.setHttpHeader(cookie)
49 + # IMPORTANT: Prevent caching of current page and cookie
50 + request.disableHttpCaching()
51 +
52 if not request.user.valid:
53 error = _("Sorry, wrong password.")
54 -
55 +
56 return self.page.send_page(request, msg=error)
57
58 else: # show login form
The login patch stuff needs to be done differently. The point is that the real login (creation of a valid user object if the user has filled in username and password into the form fields) is done by the auth methods - before login action is even called. Therefore, the login action must not create a user object on its own. There might also be cases where cookies are not needed and not used, e.g. with http auth - it must not set a cookie in such a case. I didn't try yet, but I think the only way is to modify auth.py and not login.py.
Further changes may be necessary to Preferences. Because the remember_me configuration switch is using this patch redundant. The wiki configuriation value of cookie lifetime is redundant too.