[Zope-PAS] CookieAuthHelper.
Chris McDonough
chrism at plope.com
Thu Nov 18 14:00:11 EST 2004
I see. I'm not sure of the best way to fix this and still have it
operate properly. Nobody else sees this "double auth" issue, huh?
On Thu, 2004-11-18 at 19:50 +0100, Florent Guillaume wrote:
> I think the idea is that it's bad to leave secret information left in
> the request after it's been used during traversal, in case the request
> object is later seen by an untrusted party.
>
> CookieCrumbler basically does:
> self.delRequestVar(req, self.name_cookie)
> self.delRequestVar(req, self.pw_cookie)
>
> Florent
>
> > Index: CookieAuthHelper.py
> > ===================================================================
> > RCS
> > file:
> > /home/dixonhughes_com/cvs_efr/Products/PluggableAuthService/plugins/CookieAuthHelper.py,v
> > retrieving revision 1.2
> > diff -u -r1.2 CookieAuthHelper.py
> > --- CookieAuthHelper.py 8 Nov 2004 09:11:37 -0000 1.2
> > +++ CookieAuthHelper.py 14 Nov 2004 03:47:15 -0000
> > @@ -117,8 +117,8 @@
> > creds['login'] = login
> > creds['password'] = password
> >
> > - request.set('__ac_name', '')
> > - request.set('__ac_password', '')
> > + #request.set('__ac_name', '')
> > + #request.set('__ac_password', '')
> >
> > if creds:
> > creds['remote_host'] = request.get('REMOTE_HOST', '')
> >
> > The problem was that the request.set puts "__ac_name" and
> > "__ac_password" (both as blank strings) into the REQUEST.other
> > dictionary. I have no idea why this is done.
>
>
>
More information about the Zope-PAS
mailing list