id	summary	reporter	owner	description	type	status	priority	component	severity	resolution	keywords	cc	release
5964	[patch] Prevent multiple calls to LoginModule._remote_user()	ebray	hasienda	I was having a problem where if a user logs in with invalid credentials using the form-based login, authentication would be performed twice.  Why this happens is complicated, and has to do with additional plugins that implement `IRequestFilter`, so I won't go into the details right now, but am willing to if necessary.\r\n\r\nRegardless, I don't think `LoginModule._remote_user()` (and by extension `AccountManager.check_password()`) should be called more than once in the request.  This is especially a problem in my case, where users who're authenticating against an LDAP server are being locked out of their accounts due to invalid logins much faster than they should.\r\n\r\nThis was my solution--in my setup the only thing that should be setting the 'REMOTE_USER' environment variable is the account manager plugin.  Though maybe a more flexible approach would be desired:\r\n\r\n{{{\r\n#!diff\r\nIndex: web_ui.py\r\n===================================================================\r\n--- web_ui.py   (revision 6688)\r\n+++ web_ui.py   (working copy)\r\n@@ -437,7 +437,8 @@\r\n \r\n    def authenticate(self, req):\r\n        if req.method == 'POST' and req.path_info.startswith('/login'):\r\n-            req.environ['REMOTE_USER'] = self._remote_user(req)\r\n+            if 'REMOTE_USER' not in req.environ:\r\n+                req.environ['REMOTE_USER'] = self._remote_user(req)\r\n        return auth.LoginModule.authenticate(self, req)\r\n    authenticate = if_enabled(authenticate)\r\n}}}	enhancement	closed	normal	AccountManagerPlugin	normal	fixed	ldap authentication	rjollos	0.11