[Zope-dev] Zope security alert and 2.2 information

Kent Polk kent@goathill.org
12 May 2000 05:19:42 GMT


On 10 May 2000 09:10:02 -0500, Anthony Baxter wrote:
>
>.. and even then, if they've had a previous successful auth for a
>page, the browser will re-use the token. The only _real_ way to do
>it properly is to pass a token to the client, and use that token to
>reference their authentication information. That way, when they log
>out, you destroy the authentication information on the server side.

Some browsers *do* only pass authentication info when the server
requests it.  We discovered this a couple of years ago when
experimenting with the newly-developed domain authentication that
I asked to be implemented in userfolders with Principia.

Popular methodology was to pass the user through an authentication
portal which triggered the client into establishing the site/
authentication action, and then reyling on the client to continue
to send the authentication info even though the server objects
weren't requiring it. This scheme didn't work with the clients
which only sent auth. info when requested, so we made sure that
all objects referenced the required authenticator objects at all
times.

Sites developed with this expectation that simple authentication
portals are adequate can be quite trivial to bypass... It also
became clear that I needed to thoroughly test all my sites with a
browser which didn't automatically send auth info once 'portalled'
as some of the failure modes were quite elaborate and almost
impossible to determine without actual testing. Some were quite
puzzling even though you were watching the failure occur.