[Zope-CVS] CVS: Products/CookieCrumbler -
SessionCookieCrumbler.py:1.1 CHANGES.txt:1.15
CookieCrumbler.py:1.23 __init__.py:1.4
Stuart Bishop
zen at shangri-la.dropbear.id.au
Sat Apr 17 00:16:05 EDT 2004
Update of /cvs-repository/Products/CookieCrumbler
In directory cvs.zope.org:/tmp/cvs-serv15650
Modified Files:
CHANGES.txt CookieCrumbler.py __init__.py
Added Files:
SessionCookieCrumbler.py
Log Message:
SessionCookieCrumber added
=== Added File Products/CookieCrumbler/SessionCookieCrumbler.py ===
##############################################################################
#
# Copyright (c) 2004 Zope Corporation and Contributors. All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
'''
$Id: SessionCookieCrumbler.py,v 1.1 2004/04/17 04:15:33 Zen Exp $
SessionCookieCrumbler
'''
__rcs_id__ = '$Id: SessionCookieCrumbler.py,v 1.1 2004/04/17 04:15:33 Zen Exp $'
__version__ = '$Revision: 1.1 $'[11:-2]
__author__ = 'Stuart Bishop <stuart at stuartbishop.net>'
import os.path
from App.Common import package_home
from AccessControl import ClassSecurityInfo, Permissions
from Globals import DTMLFile, InitializeClass
from App.Common import package_home
from OFS.DTMLMethod import addDTMLMethod
from ZPublisher import BeforeTraverse
from CookieCrumbler import CookieCrumbler, _create_forms
ModifyCookieCrumblers = 'Modify Cookie Crumblers'
# NOTE: to disable cookie auth, set the request var disable_cookie_login__
class SessionCookieCrumbler(CookieCrumbler):
''' A CookieCrumbler that stores authentication credentials on
the server in the SESSION rather than transmitting than on
the client in a cookie.
'''
meta_type = 'Session Cookie Crumbler'
security = ClassSecurityInfo()
security.declarePrivate('getCookieMethod')
def getCookieMethod(self, name='setAuthCookie', default=None):
''' No overrides '''
return getattr(self, name)
security.declarePrivate('setAuthCookie')
def setAuthCookie(self, resp, cookie_name, cookie_value):
self.REQUEST.SESSION[(cookie_name, self.getCookiePath())] = cookie_value
security.declarePrivate('expireAuthCookie')
def expireAuthCookie(self, resp, cookie_name):
try:
del self.REQUEST.SESSION[(cookie_name, self.getCookiePath())]
except KeyError:
pass
security.declarePrivate('modifyRequest')
def modifyRequest(self, req, resp):
key = (self.auth_cookie, self.getCookiePath())
creds = req.SESSION.get(key,None)
if creds:
req[self.auth_cookie] = creds
rV = CookieCrumbler.modifyRequest(self, req, resp)
return rV
# Installation and removal of traversal hooks.
def manage_beforeDelete(self, item, container):
if item is self:
handle = self.meta_type + '/' + self.getId()
BeforeTraverse.unregisterBeforeTraverse(container, handle)
def manage_afterAdd(self, item, container):
if item is self:
handle = self.meta_type + '/' + self.getId()
container = container.this()
nc = BeforeTraverse.NameCaller(self.getId())
BeforeTraverse.registerBeforeTraverse(container, nc, handle)
security.declarePublic('logout')
def logout(self):
' log the user out '
# clear the user's SESSION of all fun stuff too
self.REQUEST.SESSION.invalidate()
# now log 'em out
return CookieCrumbler.logout(self)
InitializeClass(SessionCookieCrumbler)
manage_addSessionCCForm = DTMLFile(
os.path.join('dtml','addSessionCC'), globals()
)
def manage_addSessionCC(dispatcher, id, create_forms=0, REQUEST=None):
''' Create a Session Cookie Crumbler '''
ob = SessionCookieCrumbler()
ob.id = id
dispatcher._setObject(ob.getId(), ob)
ob = getattr(dispatcher.this(), ob.getId())
if create_forms:
_create_forms(ob)
if REQUEST is not None:
return dispatcher.manage_main(dispatcher, REQUEST)
def initialize(context):
''' Register the SessionCookieCrumbler class '''
context.registerClass(
SessionCookieCrumbler,
constructors = (manage_addSessionCCForm, manage_addSessionCC),
icon='cookie.gif'
)
=== Products/CookieCrumbler/CHANGES.txt 1.14 => 1.15 ===
--- Products/CookieCrumbler/CHANGES.txt:1.14 Thu Jan 22 11:41:00 2004
+++ Products/CookieCrumbler/CHANGES.txt Sat Apr 17 00:15:33 2004
@@ -1,6 +1,15 @@
Next release
+- Added SessionCookieCrumber. This is a new object type that can be
+ used as a replacement to CookieCrumber. Instead of storing usernames
+ and passwords in a Cookie, they are instead stored on the server in
+ the SESSION. This greatly improves security, but may complicate
+ ZEO installations (as server affinity will be required, or the
+ session_data shared between all ZEO clients). All users will be
+ logged out if the SESSION data store is cleared, for example
+ when restarting a server that is storing SESSION data in RAM.
+
- CookieCrumbler now lets you disable or modify the Cache-Control
header to work around MSIE's irrational handling of the Cache-Control
header. See MS knowledge base article #316431.
=== Products/CookieCrumbler/CookieCrumbler.py 1.22 => 1.23 ===
--- Products/CookieCrumbler/CookieCrumbler.py:1.22 Thu Feb 5 10:35:15 2004
+++ Products/CookieCrumbler/CookieCrumbler.py Sat Apr 17 00:15:33 2004
@@ -388,6 +388,19 @@
manage_addCCForm = HTMLFile('dtml/addCC', globals())
manage_addCCForm.__name__ = 'addCC'
+def _create_forms(ob):
+ ''' Create default forms inside ob '''
+ import os
+ from OFS.DTMLMethod import addDTMLMethod
+ dtmldir = os.path.join(os.path.dirname(__file__), 'dtml')
+ for fn in ('index_html', 'logged_in', 'logged_out', 'login_form',
+ 'standard_login_footer', 'standard_login_header'):
+ filename = os.path.join(dtmldir, fn + '.dtml')
+ f = open(filename, 'rt')
+ try: data = f.read()
+ finally: f.close()
+ addDTMLMethod(ob, fn, file=data)
+
def manage_addCC(dispatcher, id, create_forms=0, REQUEST=None):
' '
ob = CookieCrumbler()
@@ -395,15 +408,6 @@
dispatcher._setObject(ob.getId(), ob)
ob = getattr(dispatcher.this(), ob.getId())
if create_forms:
- import os
- from OFS.DTMLMethod import addDTMLMethod
- dtmldir = os.path.join(os.path.dirname(__file__), 'dtml')
- for fn in ('index_html', 'logged_in', 'logged_out', 'login_form',
- 'standard_login_footer', 'standard_login_header'):
- filename = os.path.join(dtmldir, fn + '.dtml')
- f = open(filename, 'rt')
- try: data = f.read()
- finally: f.close()
- addDTMLMethod(ob, fn, file=data)
+ _create_forms(ob)
if REQUEST is not None:
return dispatcher.manage_main(dispatcher, REQUEST)
=== Products/CookieCrumbler/__init__.py 1.3 => 1.4 ===
--- Products/CookieCrumbler/__init__.py:1.3 Fri Jun 6 11:15:36 2003
+++ Products/CookieCrumbler/__init__.py Sat Apr 17 00:15:33 2004
@@ -13,6 +13,7 @@
##############################################################################
import CookieCrumbler
+import SessionCookieCrumbler
CookieCrumbler.CookieCrumbler.meta_type = 'Cookie Crumbler (Standalone)'
@@ -23,4 +24,5 @@
CookieCrumbler.manage_addCC),
icon = 'cookie.gif'
)
+ SessionCookieCrumbler.initialize(context)
More information about the Zope-CVS
mailing list