I was wondering if my solution to the problem outlined below would be a useful inclusion into the main CMF code tree? I solved this by encrypting the __ac_name and __ac_password values in the URL and then hacked CookieCrumbler.py to decrypt them before it sets the cookie. The general idea is that the user would setup the path to a method called decrypt as a property of the cookie crumbler. If this property is non NULL the cookie crumbler calls it to decrypt the values b4 setting the cookie, in an instance where the value is not decrypted the decryption mechanism should return the value passed to it. --On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800 Declan Shanaghy <declan@shanaghy.com> wrote:
I have set up a portal of shopping sites. Each merchant we support has their own domain set up.
e.g.
Seeing as they are shopping sites certain pages have to be handled by SSL.
Due to SSL limitations only 1 SSL domain+certificate can exist per ip, and we only have 1 ip. Therefore my solution is that for non SSL pages the merchant can use their own unique domain name, but all SSL pages will be redirected to
https://merchantname.portal.com and an SSL certificate is setup with a CN of *.portal.com
A problem arises when switching between domains like this. The login cookie is lost. Curently i do a redirect between domains and include __ac_name and __ac_password arguments in the URL so the user stays logged in, but this causes the username and password to be displayed in the address bar in plain text.
I'd like to secure this more.
Is there any way that i could
A - Encrypt __ac_name and __ac_password values?
or
B - Set the cookie for both domains so name and password dont have to be transferred?