TG2.X with repoze.who v1 and paste 1.7.5.1 cookies

[kgk]

While this is not an issue in the turbogears code, it will bite you if you use

alternative login facilities (CAS, LDAP, openid) in TurboGears 2.1.X applications.

These plugins tend to use auth_tkt  to store the identity in a cookie.

In  repoze.who-1.0.1[89]-py2.6.egg/repoze/who/plugins/auth_tkt.py:identify:

Any who_tokens are joined into a string and passed to a cookie creation

      if not isinstance(tokens, basestring):

            tokens = ','.join(tokens)

        if not isinstance(who_tokens, basestring):

            who_tokens = ','.join(who_tokens)

        old_data = (userid, tokens, userdata)

        new_data = (who_userid, who_tokens, who_userdata)

        if old_data != new_data or (self.reissue_time and

                ( (timestamp + self.reissue_time) < time.time() )):

            ticket = auth_tkt.AuthTicket(

                self.secret,

                who_userid,

                remote_addr,

                tokens=who_tokens,

                user_data=who_userdata,

                cookie_name=self.cookie_name,

                secure=self.secure)

            new_cookie_value = ticket.cookie_value()

The creation of the ticket is then done here: 

/Paste-1.7.5.1/paste/auth/auth_tkt.AuthTicket.__init__

    def __init__(self, secret, userid, ip, tokens=(), user_data='',

                 time=None, cookie_name='auth_tkt',

                 secure=False):

        self.secret = secret

        self.userid = userid

        self.ip = ip

        self.tokens = ','.join(tokens)

The token list is joined again basically destroying the cookie token list.

I believe this is fixed in repose.who version 2, but TG2.X applications are using repoze.who 1.0.18 or 1.0.19

It does not appear that repoze.who version 1 is matained anymore, nor are there many update to Paste.. so I 

am not sure where to send this error.   Maybe moving to repoze.who 2 would be the solution?