[Zope] CoreSessionTracking-based LoginMethod for LoginManager

Chris McDonough chrism@zope.com
Wed, 15 Aug 2001 10:34:05 -0400


Andy Gimblett wrote:
> 
> Hi there Zopers,

Hi!
 
> I'm currently trying to develop a LoginMethod for LoginManager which
> uses CoreSessionTracking to store/access credentials, rather than
> Basic HTTP Authorization or Basic Cookie Authorization. Here's why:
> 
>   - Basic HTTP auth is unacceptable because we need form-based login.
> 
>   - I've looked at other user folders which support cookies, and at
>     CookieCrumbler, and at the BasicCookieLogin class bundled with
>     LoginManager, but they all share the problem (in my mind) that
>     they store the username/password encoded in the cookie itself,
>     which isn't very secure - and doesn't extend well into storing
>     other information if I wanted to.
> 
>   - I'd much rather use a token-based scheme where all sensitive
>     information is stored on the server, and the cookie is just a
>     token which can be mapped to that data. This seems to me to be
>     what CoreSessionTracking offers.

Yes..

> 
>   - The CST documentation mainly talk about CST as a way of tracking
>     anonymous sessions, but I see no reason why it couldn't be used
>     in this way too...?

Well... one reason is that there is no failsafe access control on
session data objects (the token key is the only thing required to grab
hold of a session data object and all of its contents via DTML).

As a result, the data that is stored in a session data object would
itself need to be encrypted in some way for it to be "secured". 
Encrypting it assumes some sort of shared key, so you're back to the
original problem with a layer of indirection.  :-(

Safe authentication is a hard problem.  The sessioning machinery might
help in some way, but it's not an answer in and of itself. 

-- 
Chris McDonough                           Zope Corporation
http://www.zope.org                    http://www.zope.com

""" Killing hundreds of birds with thousands of stones """