[Zope-dev] Re: [patch] More secure cookie crumbler?
Chris Withers
chris at simplistix.co.uk
Mon Apr 12 09:04:59 EDT 2004
Shane Hathaway wrote:
>>I think the attached patch (against CookieCrumbler 1.1) makes
>>CookieCrumbler a little more secure.
>
> Your patch won't work with multiple ZEO app servers. It appears to store
> the tokens in a module global. Do not apply it.
Well, that's a little harsh. The default methods will only work on setups where
there's at most one ZEO client accepting web requests for each user.
However, all you have to do is drop 3
ZSQL-methods-filtereted-through-python-scripts or
python-scripts-using-a-session-data-container and it works across any number of
ZEO clients accepting web requests for any user.
>>PS: To make cookie auth properly secure, you really need to be working
>>over SSL only
>
> I agree--SSL is required. Let's not give people a false
> sense of security by changing CookieCrumbler.
That was the reason for the long NB/PS at the end of the email.
The patch does still prevent the Browser seeing the password of the user, and
reduces the chances of session hijacking. With normal cookie crumbler, if you
snoop a session, you can keep using it until the user changes their password.
With the patch, at longest it'll be until the app server is restarted, but more
likely the 20 minute session expirey time on the server and, if the session was
being using actively at the time it was snooped, until the user next requests a
page.
For me, that's worth patching for, it's up to you if you want to include it in
an offical CookieCrumbler release or not ;-)
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list