[Zope-CMF] Plugin for PluggableUserFolder (was: more secure cookie
crumber)
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Thu Oct 7 06:30:40 EDT 2004
Hi!
There was a dicussion earlier on the list (I don't remember which one)
about implementing a more secure cookie crumbler.
Just for information: I have updated the KerberosIdentification plugin
for PluggableUserFolder (basically an external authentication plugin) to
force it to not store the password in '__ac' in a cookie (not even in
the Zope session as SessionCrumbler does). So the password is only used
once, i.e. when the user logs in, and then it is not used or stored
anymore during the session. Hence there is no risk that the password be
seen in any way: i.e. through a core dump, unencrypted session w/ ZEO,
etc...
The information about authenticated users (similar to a ticket
containing the username and the ZopeID) is saved in a RAM cache so it is
possible to know how many users are logged on simultaneously, or to
implement an auto-logout function, etc. or to prevent a same user from
being logged on from several sessions (as it is by default in this
implementation).
It won't work with ZEO though unless the session is bound to a same zope
server for a given period of time.
To clear the password I had to remove CookieCrumbler and implement the
cookie management part in the plugin instead.
Here is the readme:
https://sf.codex-se.org/project/shownotes.php?release_id=54
And the code:
http://cvs.codex-se.org/viewcvs/viewcvs.cgi/KerberosIdentification/?cvsroot=zope
https://sf.codex-se.org/download.php/52/KerberosIdentification1.1.tgz
I am also working on a RAMCacheCrumbler that stores the __ac in RAM, and
which is faster than SessionCrumbler (see
http://cvs.codex-se.org/viewcvs/viewcvs.cgi/RAMCacheCrumbler/?cvsroot=zope).
Now I would like to make it work without storing the __ac in RAM. Has
anyone had any experience with this?
I feel that the best solution is to dump the crumbler and implement
everything in the userfolder.
Has anyone managed to write a cookiecrumbler / sessioncrumbler /
whatevercrumbler that does not store the password anywhere?
/JM
More information about the Zope-CMF
mailing list