On Mar 8, 2007, at 5:49 PM, Peter Wilkinson wrote:

> Hi,
>
> I'm in the process of implementing OpenID sign in, which turns out
> to be quite straight forward, but have run into one issue in the
> way sessions work. The OpenID process requires 2 URLs on the site
> to be accessed, the first to present the form to collect an OpenID
> identifier and the second to handle the response from the provider
> of that identifier. During this the OpenID library wants to
> maintain some values in a session for the user trying the access.
> Currently I can't see how to cleanly get a persistent session only
> identified by a cookie without a user being authenticated.
>
> Any ideas on how I could do this? Also in this case there is a need
> for some session data to be stored, what is the usual way for that
> to be done?

One option is to write a subclass of Session that overrides the
needs_saving() method.  The default behavior is to discard Sessions
where the "owner" is the null User.  It seems like you do want to
keep those Sessions under certain circumstances, such as when
the Session has the values that you want to keep.  If you do this, your
SitePublisher should also override the create_session() method so that
it returns an instance of your subclass.  This will make it possible to
have sessions that are stored, even for non-authenticated users.

Let us know how it goes.  It seems like a desirable authentication
option to have.