[Zope-dev] Plain-text passwords in your ZODB

Markus Kemmerling markus.kemmerling at meduniwien.ac.at
Fri Dec 17 03:26:16 EST 2010


Am 16.12.2010 um 20:58 schrieb Marius Gedminas:

> On Thu, Dec 16, 2010 at 08:39:40PM +0100, Andreas Jung wrote:
>> Marius Gedminas wrote:
>>> So, did you know that by default Zope stores a copy of every user's
>>> username and password in your ZODB, in plain text, on every login that
>>> uses forms and sessions (rather than HTTP basic auth)?
>> 
>> By "Zope" you mean Zope 3, ZTK, Bluebream ...?
> 
> All of the above.  More specifically, zope.pluggableauth (and, I assume,
> zope.app.authentication before that).

I never understood why you would want to store the credentials in the session at all (AFAIK not necessarily in your app's ZODB in case you use a RAM based session storage). Besides storing passwords in your session Zope 3's and probably also Bluebream's PAU authenticate the user on each request. That might not be a problem if you use a local principal folder, but if you authenticate against an external authentication source, e.g. LDAP, you probably don't want to contact it on each request.

For our apps we modified the PAU (plugins) to store the authenticated principal in the session instead of the credentials. The only possible disadvantage I can think of is that you can't lock out a user until its session is invalidated.

Regards,
Markus Kemmerling



More information about the Zope-Dev mailing list