Hi All,
Mech422 here… SnowWrite is always saying I should get a blog and I wanted to archive this for later, so its time for a blogging test drive.
Plone 2.5.X uses PAS and cookie auth. out of the box. This can easily be used to support single sign-on for multiple sites in a domain. For example, I have a single plone instance driving two sites - one http (www.example.com) , the other https (secure.example.com). The problem is, when switching between the two login information is lost. That’s because by default the __ac cookie used for login info. is available only to the site that issued it. However, with about 10 lines of code you can modify this behavior to allow a single cookie to be used for all sites in a domain. Even better, you don’t have to modify any core files - just override two templates in your skin folder.
You will need to customize (either in /custom or on the filesystem) login_next.cpy, and logout.cpy. If you do this on the filesystem, you will also need to copy login_next.cpy.metadata and logout.cpy.metadata because .metadata files must be in the same directory as the actual file. You don’t need to edit them though.
In login_next.cpy, after the membership check:
if membership_tool.isAnonymousUser():
REQUEST.RESPONSE.expireCookie(’__ac’, path=’/')
util.addPortalMessage(_(u’Login failed’))
return state.set(status=’failure’)
add:
login_cred = REQUEST.RESPONSE.cookies.get(’__ac’, None)
if login_cred:
login_cred = login_cred['value']
REQUEST.RESPONSE.setCookie(’__ac’,
login_cred,
path=’/',
domain=”example.com”)
Replace ‘example.com’ with the desired domain name. Also, if your not using the normal __ac cookie name, you’ll need to adjust that as well. This will cause the normal plone __ac cookie (which lacks domain information, and so is only availble to the site that set it), with a cookie that will be sent to all hosts in the example.com domain. We get the hash value from REQUEST.RESPONSE.cookies instead of REQUEST.cookies because the cookie hasn’t been set on the browser (I.E. we’re interrupting in the middle of a traverse, and NO data has been sent back to the client yet)
The only thing left to do, is remove the modified cookie on logout. In logout.cpy, right before the session expiration:
# Invalidate existing sessions, but only if they exist.
sdm = getToolByName(context, ’session_data_manager’, None)
if sdm is not None:
session = sdm.getSessionData(create=0)
if session is not None:
session.invalidate()
Add the following :
REQUEST.RESPONSE.expireCookie(’__ac’,
path=’/',
domain=”example.com”)
The cookie name (’__ac’), and domain value must match the values you used in login_next.cpy.
That’s all there is too it… Assuming the user names and passwords are the same on all the sites, you should now be able to login on www.example.com, and stay logged in when you go to blog.example.com, or store.example.com. If your running the sites out of different plone instances, a ‘real’ single sign-on package like OpenId is the way to go. But for dealing with all the aliases sites seem to collect, this method works well.
As for the blogging - ehh, it feels like I’m talking to myself 
