[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Simon Eisenmann simon at struktur.de
Tue Oct 12 12:07:47 EDT 2004


On Tue, 2004-10-12 at 11:28 -0400, Tres Seaver wrote:
> Simon Eisenmann wrote:
> > On Tue, 2004-10-12 at 16:15 +0200, Jean-Marc Orliaguet wrote:
> > 
> > 
> >>All you need to do is to set a _ZopeID cookie that you have stolen, login
> >>(you are already logged in), and use the 'mail password' script to send
> >>the password.
> > 
> > 
> > Ok right thats a problem. But i think i can wrap the password in the
> > session inside a special object which itself does some additional
> > verification that this request really may access this session. Such
> > additional checks could check the source IP address of the client for
> > instance. Doing stuff like this would mean that the user needs to fake a
> > HTTP request which is a bit more complex than just using the mail
> > password script. How do you feel about this?
> 
> No truly secure system keeps the user's plaintext password *anywhere* 
> (the "mail me my password" bit can only be a "reset my password and mail 
> me the reset value" in such a system).  The hack which CookieCrumbler 
> uses (and I presume SessionCrumbler, from the discussion), makes a 
> request *look* to Zope like basic auth, and therefore has to keep the 
> plaintext password around somewhere.

Of course. The whole basic auth fake should better be reconsidered and
some secure auth system should be used .. eg. PAS. Though right now we
are using CookieCrumbler.

> Personally, I don't see a lot of benefit in expending development effort 
> trying to polish a fundamentally insecure approach.  Basic auth over SSL 
> is actually more secure than either of the two "crumblers";  digest auth 
> would be even better, and client certificates better than that.

Well it tool me about 1 hour to write the SessionCrumble thing to get
timed out logins when the user is inactive for some time. So it's there
and so why dont use it _until_ someone has the time to totally rethink
the default authentication system of plone?

Best regards,
 Simon

-- 
Simon Eisenmann

[ mailto:simon at struktur.de ]

[ struktur AG | Friedrichstr. 14 | 70174 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:info at struktur.de ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-cmf/attachments/20041012/3c2cecc1/attachment.bin


More information about the Zope-CMF mailing list