[Zope] Cookie Crumbler - read Password from login_form
Terry Hancock
hancock at anansispaceworks.com
Mon Sep 15 11:07:02 EDT 2003
On Monday 15 September 2003 09:23 am, Chris Withers wrote:
> nicogrubert at arcor.de wrote:
> > my question is: how can I read the password the user
entered in the login_form ?
>
> > I tried to decode the string stored in the cookie
> > "__ac" using base64.decodestring(<string>) and got
> > "<username>:x034x213324" where <username> is the
So, the password is being hashed on the client side? How is
that happening, exactly? Javascript, Java plugin, or ??
or *is* "x034x213324" the clear text password? HTML forms
don't, to my knowledge, send encrypted data. If Zope (that
is, CookieCrumbler) is taking the cleartext password,
encrypting it, and then storing it in a cookie, then this
is probably the "long way round."
I realized after tinkering with this myself that encrypting
passwords for storage was probably a dumb idea if you're
not using SSL to begin with (i.e. if they're not getting
encrypted on the client side). Because it's sort of silly
to store them in such a way that even *you* can't read them
after you've just done the metaphorical equivalent of
shouting the secret across a crowded room! (i.e. sending
them plain text across the net in the user's web request).
(Because, which is more likely -- that an attacker will gain
shell access to your server and start going through your
user database, or that they will simply sniff for passwords
coming into your web server?).
Maybe that's immediately obvious to other people, but I
keep mentioning it, because it wasn't to me. ;-)
> > username in cleartext the user typed in the __ac_name
> > text field of login_form. How can I read the password
> > in cleartext? background of this issue is that I need
> > to pass the password in cleartext to another
> > application.
>
> In that case, probably easier to customise the
> user folder and have it send the
> info when it's getUser method is called.
Yeah, this would be my call, too. SimpleUserFolder,
BTW, is very easy to subclass to get whatever custom
behavior you need. I've been pretty happy with it so far,
so I'd recommend going with that.
Cheers,
Terry
--
Terry Hancock ( hancock at anansispaceworks.com )
Anansi Spaceworks http://www.anansispaceworks.com
More information about the Zope
mailing list