[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Simon Eisenmann simon at struktur.de
Tue Oct 12 06:14:19 EDT 2004


On Tue, 2004-10-12 at 11:30 +0200, Jean-Marc Orliaguet wrote:
> I have noticed a significant performance drop with CPS, it is not as 
> significant with Plone or CMF though. This occurs before the page is 
> rendered, probably a 0.2-0.3 second gap where nothing happens. I don't 
> know why, I tried both with ZEO and without ZEO.

Mhm thats strange. I suppose this only has indirectly something todo
with SessionCrumbler and is related to the increased use of sessions
itself. Did you track down this 0.2-0.3 second gap to some code lines?

> It is more secure in a sense, and less secure in another sense, it just 
> moves the weakest link from one place to another..
> If you are doing external authentication (krb, cas, AD, ...), then the 
> only viable alternative is to not store the password anywhere, this is 
> when it becomes more secure, otherwise any other option is just as 
> insecure since the main password can get compromised.

Of course it moves the weakest part from the client to the server. If
you do external auth whatever type the userfolder should support not
rely on a crumbler of any type. The crumbler approach itself is meant to
"remember" the authentication credentials for zopes internal basic auth.

> Why not push for a *real* secure implementation then instead of patching 
> a hack?
> It is a bit like saying: the front door is no longer left open, but now 
> you can get in through the window instead and climbing through the 
> window is more difficult.

You are right. What really is requires is some really secure
authentication mechanism which internally does not try to fake basic
auth but implements it in a secure way. But this has nothing todo with a
crumbler approach which currently is used. I am talking about a minor
change. Replacing plones default authentication model is a major change
which will take months to do. 

Anybody is free to write a PLIP proposing this. If somebody comes up
with a real secure thing and writes down how we may integrate it into
plone (as default solution) we dont have any other chance to either keep
CookieCrumbler or look around and integrate other available solutions.

> That gives the user a false sense of security.
Users usally do not have a big sense for security at all. They come to
you if somebody broke into the system. In the first step users dont care
if its secure or not .. the important thing is that it just works. If
users would care about security they would have screamed about
CookieCrumbler a long long time ago. I havent heard very much. People
even use it with LDAPUserfolder and whatever external auth systems,
without even knowing what they are doing. 

IMHO we should silently replace CookieCrumbler with SessionCrumbler
without proposing a more secure authentication. It is in a way but
nothing we should talk about too much to the end users.

Cheers,
 Simon

-- 
Simon Eisenmann

[ mailto:simon at struktur.de ]

[ struktur AG | Friedrichstr. 14 | 70174 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:info at struktur.de ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-cmf/attachments/20041012/d1d9025f/attachment-0001.bin


More information about the Zope-CMF mailing list