The specific proposal is to:

1. Move plugins.SessionPlugin into SVN
2. Tidy it up for Dakar (a new release is needed anyway, to better support AuthPagePlugin)
3. Update released DISABLEDPLUGINS to include it
4. Build it into the release package
5. Remove $doRememberRemoteUser, which tries to duplicate part of what SessionPlugin does.

Pros:

• Many installations use this incredibly handy plugin
• Simpler installation (no need to worry about $doRememberRemoteUser, just enable SessionPlugin to get session persistance)
• ...

• Adds a dependency (on CGI::Session)
• Existing sites use $doRememberRemoteUser and will need coaching to transfer
• When used for a long enough time period, you get disk cloggage. This is due to there being no support for deletion of expired sessions. Which does become a real issue in terms of space, doing directory listings and similar. -- MichaelSparks
• ...

-- CrawfordCurrie - 05 Apr 2005

I agree.

-- MartinCleaver - 05 Apr 2005

I'm proposing that SessionPlugin be ABOLISHED ALTOGETHER.

My idea is that now TWiki is maturing and we are addressing authetication and autorization properly, the best way to fix the whole login ans session issue is to make them much more tighly integrated. It will also make them simpler and more reliable (read: secure).

Yes, you will still be able to turn off features, for example if you don't want IP address matching.

I'm sure those others who have been battling with the password/login code will see the advantage of this.

-- AntonAylward - 06 Apr 2005

Does that read: and add the AuthPagePlugin to the core aswell in one go?

Yes, please.

-- MichaelDaum - 06 Apr 2005

... please make sure SessionPlugin is part of Dakar. Either as a fully supported Plugin. Or better as part of the Dakar package. As a user/administrator it is not essential whether the functionality is built-in to the core software or a plugin like TablePlugin is today.

-- KennethLavrsen - 06 Apr 2005

-- JeffreyHorner - 06 Apr 2005

The removed enhancement requests are reasonable; but please add enhancements requests to the SessionPluginDev page, and not here. This topic is discussing whether to include the plugin in the kernel, and Jeffrey, you have not expressed a preference either way.

-- CrawfordCurrie - 07 Apr 2005

Fair enough Crawford (thanks for moving my comment to the appropriate place).

I do agree that SessionPlugin should be moved into the kernel, and that $doRememberRemoteUser is flawed, howerver I'm still concerned about SessionPlugin's implementation.

-- JeffreyHorner - 07 Apr 2005

Please integrate the AuthPagePlugin into the SessionPlugin while adding it to the SVN.

-- MichaelDaum - 09 Apr 2005

My vote doesn't count, but i vote YES anyway.

-- TravisBarker - 10 Apr 2005

this is probably still just an (undecided) terminology clash; but no plugins should ship with the TWikiKernel (either because TWikiKernel means something very core, to which you add plugins, or because TWikiKernel means the minimum to have a working twiki).

-- WillNorris - 26 May 2005

although i am very much in favour of having a viable solution for this problem

-- WillNorris - 26 May 2005

Like Travis :-), I'd like to cast a big "provisional" YES vote for having both SessionPlugin and AuthPagePlugin integrated into the kernel.

-- GregAbbas - 23 Jun 2005

GregAbbas is working on this; see attachments for his latest work.

-- CrawfordCurrie - 14 Jul 2005

There is now a scratch branch for this work; see

svn co http://svn.twiki.org/svn/twiki/scratch/AddSessionPlugin

-- CrawfordCurrie - 17 Jul 2005

We ended up rewriting it to fit it in better. Really seamless integration, now. -- CrawfordCurrie - 28 Aug 2005