[Zope] redirect between domains & maintain login

Declan Shanaghy declan at shanaghy.com
Mon Dec 27 01:57:02 EST 2004 

Thanks for the info Andreas,

Just FYI i solved this by encrypting the __ac_name and
__ac_password values in the URL and then hacked
CookieCrumbler.py to decrypt them before it sets the
cookie.

I was wondering if this would be a useful inclusion
into the main CMF code tree?

The general idea is that the user would setup the path
to a method called decrypt as a property of the cookie
crumbler.  If this property is non NULL the cookie
crumbler calls it to decrypt the values b4 setting the
cookie, in an instance where the value is not
decrypted the decryption mechanism should return the
value passed to it.



--- Andreas Jung <lists at andreas-jung.com> wrote:

> 
> 
> --On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800
> Declan Shanaghy 
> <declan at shanaghy.com> wrote:
> 
> > I have set up a portal of shopping sites.
> > Each merchant we support has their own domain set
> up.
> >
> > e.g.
> >
> > http://www.some-merchant.com
> >
> > Seeing as they are shopping sites certain pages
> have
> > to be handled by SSL.
> >
> > Due to SSL limitations only 1 SSL domain
> +certificate
> > can exist per ip, and we only have 1 ip. 
> Therefore my
> > solution is that for non SSL pages the merchant
> can
> > use their own unique domain name, but all SSL
> pages
> > will be redirected to
> >
> > https://merchantname.portal.com and an SSL
> certificate
> > is setup with a CN of *.portal.com
> >
> > A problem arises when switching between domains
> like
> > this.  The login cookie is lost.  Curently i do a
> > redirect between domains and include __ac_name and
> > __ac_password arguments in the URL so the user
> stays
> > logged in, but this causes the username and
> password
> > to be displayed in the address bar in plain text.
> >
> > I'd like to secure this more.
> >
> > Is there any way that i could
> >
> > A - Encrypt __ac_name and __ac_password values?
> >
> > or
> >
> > B - Set the cookie for both domains so name and
> > password dont have to be transferred?
> >
> >
> 
> 
> We do something like that:
> 
>  - if the user visits site A then we assign the user
> a unique session ID 
> *and*
>     store the __ac cookie on the server side as part
> of the session info
> 
>  - if the user visits site B and the session ID must
> be passed somehow to 
> site B.
>      site B then takes the __ac info stored on the
> server and sends a 
> setCookie('__ac',...)
>      header to the client
> 
> This works only if you can share session
> informations between sites however 
> this approach
> might be a bit insecure. At least it works for us
> within an in-house 
> application.
> 
> -aj
> 
>

More information about the Zope mailing list