[Twisted-Python] Cred question

Sury Soni ssoni at nextdigital.com
Thu Aug 5 20:09:13 EDT 2010


> i guess he wants admin to 1) impersonate another user, akin to su -u
> anotheruser and 2) also to drop that user's session.
> For 1) you'd have to set the avatar to the user's id (or at application level
> implement something like effective uid). For 2) you'd have to iterate over all
> active sessions and terminate the one you want
> 

Hi Konrads,

You are right.

Can you elaborate your suggested solutions?

I am not sure, where do I set the avatar to user's id, as request will come from protocol while admin session is already active in the browser.

In nevow.guard login request usually comes through login form submit to http://yourhost/__login__ path.

And, then request goes to Realm, but since current (admin) session would be already active, how do we iterate over active session and drop admin session?

> 
> 2010/8/5, exarkun at twistedmatrix.com <exarkun at twistedmatrix.com>:
> > On 4 Aug, 02:20 am, ssoni at nextdigital.com wrote:
> >>Hi,
> >>
> >>I am using Cred authentication system in my Nevow based web
> >>application.
> >>
> >>Admin user can see list of all users from admin interface of the
> >>application.
> >>
> >>Now, admin user wants to do following things:
> >>
> >>1.       Automatically login as other user
> >>
> >>2.       Induce logout to already logged in user.
> >>
> >>Q1. Since, admin user itself used cred authentication to login in
> >>first place, how do we do automatic login as different user
> >>programmatically or logout already logged in other user?
> >
> > I'm not sure what you're asking here.  Perhaps the answer is to call
> > your realm's requestAvatar method with the avatarId of the admin user?
> >
> > As far as logging out a user, that basically means dropping their
> > session.
> >>
> >>I tried to redirect my application to
> >>/__login__/?username=otherusername&password=itspassword and it
> went
> >>through Cred system, but I believe, since previous session was active
> >>as well, it triggered logout.
> >>
> >>Q2. Does cred allow multiple login sessions in same browser? So, that
> >>admin user can maintain its own session and login into other user as
> >>well.
> >
> > nevow.guard is cookie-based.  There's no way to have multiple
> > authentication cookies inside a single browser instance, as far as I
> > know.
> >
> > Jean-Paul
> >

Thanks JP for the clarification on multiple sessions.

-Sury


More information about the Twisted-Python mailing list