[Zope-PAS] Re: Plugin for PluggableUserFolder (was: more secure cookie crumber)

Tres Seaver tseaver at zope.com
Thu Oct 7 10:21:12 EDT 2004 

Jean-Marc Orliaguet wrote:
> 
> Hi!
> 
> There was a dicussion earlier on the list (I don't remember which one) 
> about implementing a more secure cookie crumbler.
> 
> Just for information: I have updated the KerberosIdentification plugin 
> for PluggableUserFolder (basically an external authentication plugin) to 
> force it to not store the password in '__ac' in a cookie (not even in 
> the Zope session as SessionCrumbler does). So the password is only used 
> once, i.e. when the user logs in, and then it is not used or stored 
> anymore during the session. Hence there is no risk that the password be 
> seen in any way: i.e. through a core dump, unencrypted session w/ ZEO, 
> etc...
> 
> The information about authenticated users (similar to a ticket 
> containing the username and the ZopeID) is saved in a RAM cache so it is 
> possible to know how many users are logged on simultaneously, or to 
> implement an auto-logout function, etc. or to prevent a same user from 
> being logged on from several sessions (as it is by default in this 
> implementation).
> It won't work with ZEO though unless the session is bound to a same zope 
> server for a given period of time.
> 
> To clear the password I had to remove CookieCrumbler and implement the 
> cookie management part in the plugin instead.
> 
> Here is the readme:
> https://sf.codex-se.org/project/shownotes.php?release_id=54
> 
> And the code:
> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/KerberosIdentification/?cvsroot=zope 
> 
> https://sf.codex-se.org/download.php/52/KerberosIdentification1.1.tgz
> 
> I am also working on a RAMCacheCrumbler that stores the __ac in RAM, and 
> which is faster than SessionCrumbler (see 
> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/RAMCacheCrumbler/?cvsroot=zope). 
> 
> 
> Now I would like to make it work without storing the __ac in RAM. Has 
> anyone had any experience with this?
> I feel that the best solution is to dump the crumbler and implement 
> everything in the userfolder.
> 
> Has anyone managed to write a cookiecrumbler / sessioncrumbler / 
> whatevercrumbler that does not store the password anywhere?

Note that there is a PAS-specific list, 'zope-pas at zope.org'.  I am 
CC'ing the zope-pas list so that the existence of the thread is noted in 
its archives.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-PAS mailing list