[Zope-PAS] Re: [Plone-developers] Re: Plugin for PluggableUserFolder

Mon Oct 11 08:56:59 EDT 2004

Jean-Marc Orliaguet wrote:
> Tres Seaver wrote:
> 
>> Jean-Marc Orliaguet wrote:
>>
>>>
>>> Hi!
>>>
>>> There was a dicussion earlier on the list (I don't remember which 
>>> one) about implementing a more secure cookie crumbler.
>>>
>>> Just for information: I have updated the KerberosIdentification 
>>> plugin for PluggableUserFolder (basically an external authentication 
>>> plugin) to force it to not store the password in '__ac' in a cookie 
>>> (not even in the Zope session as SessionCrumbler does). So the 
>>> password is only used once, i.e. when the user logs in, and then it 
>>> is not used or stored anymore during the session. Hence there is no 
>>> risk that the password be seen in any way: i.e. through a core dump, 
>>> unencrypted session w/ ZEO, etc...
>>>
>>> The information about authenticated users (similar to a ticket 
>>> containing the username and the ZopeID) is saved in a RAM cache so it 
>>> is possible to know how many users are logged on simultaneously, or 
>>> to implement an auto-logout function, etc. or to prevent a same user 
>>> from being logged on from several sessions (as it is by default in 
>>> this implementation).
>>> It won't work with ZEO though unless the session is bound to a same 
>>> zope server for a given period of time.
>>>
>>> To clear the password I had to remove CookieCrumbler and implement 
>>> the cookie management part in the plugin instead.
>>>
>>> Here is the readme:
>>> https://sf.codex-se.org/project/shownotes.php?release_id=54
>>>
>>> And the code:
>>> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/KerberosIdentification/?cvsroot=zope 
>>>
>>> https://sf.codex-se.org/download.php/52/KerberosIdentification1.1.tgz
>>>
>>> I am also working on a RAMCacheCrumbler that stores the __ac in RAM, 
>>> and which is faster than SessionCrumbler (see 
>>> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/RAMCacheCrumbler/?cvsroot=zope). 
>>>
>>>
>>> Now I would like to make it work without storing the __ac in RAM. Has 
>>> anyone had any experience with this?
>>> I feel that the best solution is to dump the crumbler and implement 
>>> everything in the userfolder.
>>>
>>> Has anyone managed to write a cookiecrumbler / sessioncrumbler / 
>>> whatevercrumbler that does not store the password anywhere?
>>
>>
>>
>> Note that there is a PAS-specific list, 'zope-pas at zope.org'.  I am 
>> CC'ing the zope-pas list so that the existence of the thread is noted 
>> in its archives.
>>
>> Tres.
> 
> 
> 
> Hi!
> 
> I have uploaded a 0.1 release of a RAMCacheCrumbler if anyone is 
> interested in testing it.
> https://sf.codex-se.org/project/showfiles.php?group_id=17&release_id=56
> 
> The __ac string is stored in a ram cache (protected) and the user name 
> is saved in a protected class in the session (cf PluggableUserFolder). 
> It would be safer if the __ac string with the password was not stored 
> anywhere, but it is still safer than storing it in a cookie 
> (CookieCrumbler) or in the session (SessionCrumbler).
> 
> There is no mechanism to expire entries in the cache yet but the cache 
> size does not grow since every user cannot have more than one entry in 
> it (new entries replace old ones).
> 
> PS for plone users: some skins need to be updated to remove hardcoded 
> references to 'cookie_authentication' and refer to 
> 'ramcache_authentication' instead (or simply create a RAMCacheCrumbler 
> called 'cookie_authentication').

Please continue to include zope-pas at zope.org in this disucssion (in 
fact, I would recommend trimming *all* the other groups out;  interested 
parties should be willing to move to the more focused list).

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com