Cookie Crumbler - read Password from login_form
Hello, I am using Cookie Crumbler for Authentification in Zope. The standard login_form template provides an input text field for username and password whose fieldnames must correspond to the fieldnames set in the cookie crumbler object. these fieldnames (e.g. __ac_name, __ac_password) are not found in the REQUEST when submitting the form "login_form" since they are stored in a cookie called "__ac". my question is: how can I read the password the user entered in the login_form ? Assume, my login_form contains in <form action="myExternalMethod"> instead of "<form action="logged_in"> to call an external method that reads the password from login_form. How can I do that? I tried to decode the string stored in the cookie "__ac" using base64.decodestring(<string>) and got "<username>:x034x213324" where <username> is the username in cleartext the user typed in the __ac_name text field of login_form. How can I read the password in cleartext? background of this issue is that I need to pass the password in cleartext to another application. thank you in advance -nico
nicogrubert@arcor.de wrote:
Hello,
I am using Cookie Crumbler for Authentification in Zope.
I'm sure you mean Authentication...
these fieldnames (e.g. __ac_name, __ac_password) are not found in the REQUEST when submitting the form "login_form" since they are stored in a cookie called "__ac".
They'll still be in the REQUEST, just not accessible due to their names...
my question is: how can I read the password the user entered in the login_form ?
Why do you want to?
I tried to decode the string stored in the cookie "__ac" using base64.decodestring(<string>) and got "<username>:x034x213324" where <username> is the username in cleartext the user typed in the __ac_name text field of login_form. How can I read the password in cleartext? background of this issue is that I need to pass the password in cleartext to another application.
In that case, probably easier to customise the user folder and have it send the info when it's getUser method is called. cheers, Chris
On Monday 15 September 2003 09:23 am, Chris Withers wrote:
nicogrubert@arcor.de wrote:
my question is: how can I read the password the user entered in the login_form ?
I tried to decode the string stored in the cookie "__ac" using base64.decodestring(<string>) and got "<username>:x034x213324" where <username> is the
So, the password is being hashed on the client side? How is that happening, exactly? Javascript, Java plugin, or ?? or *is* "x034x213324" the clear text password? HTML forms don't, to my knowledge, send encrypted data. If Zope (that is, CookieCrumbler) is taking the cleartext password, encrypting it, and then storing it in a cookie, then this is probably the "long way round." I realized after tinkering with this myself that encrypting passwords for storage was probably a dumb idea if you're not using SSL to begin with (i.e. if they're not getting encrypted on the client side). Because it's sort of silly to store them in such a way that even *you* can't read them after you've just done the metaphorical equivalent of shouting the secret across a crowded room! (i.e. sending them plain text across the net in the user's web request). (Because, which is more likely -- that an attacker will gain shell access to your server and start going through your user database, or that they will simply sniff for passwords coming into your web server?). Maybe that's immediately obvious to other people, but I keep mentioning it, because it wasn't to me. ;-)
username in cleartext the user typed in the __ac_name text field of login_form. How can I read the password in cleartext? background of this issue is that I need to pass the password in cleartext to another application.
In that case, probably easier to customise the user folder and have it send the info when it's getUser method is called.
Yeah, this would be my call, too. SimpleUserFolder, BTW, is very easy to subclass to get whatever custom behavior you need. I've been pretty happy with it so far, so I'd recommend going with that. Cheers, Terry -- Terry Hancock ( hancock at anansispaceworks.com ) Anansi Spaceworks http://www.anansispaceworks.com
nicogrubert@arcor.de wrote at 2003-9-15 09:47 +0200:
I am using Cookie Crumbler for Authentification in Zope. The standard login_form template provides an input text field for username and password whose fieldnames must correspond to the fieldnames set in the cookie crumbler object.
these fieldnames (e.g. __ac_name, __ac_password) are not found in the REQUEST when submitting the form "login_form" since they are stored in a cookie called "__ac".
my question is: how can I read the password the user entered in the login_form ?
Some questions are easily answered by looking at the source and its documentation... Cookie Crumbler deliberately removes "__ac_password" from the request after it did its purpose. Dieter
participants (4)
-
Chris Withers -
Dieter Maurer -
nicogrubertīŧ arcor.de -
Terry Hancock