[Zope-CMF] PATCH: CMFCore/CookieCrumbler, add getAuthCookie method

Andy Dustman andy@dustman.net
25 Aug 2002 22:35:35 -0400


--=-kKJi+6PiTpbuulmr6EuU
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

The attached patch allows for a user-defined getAuthCookie method to
complement expireAuthCookie and setAuthCookie. Once add this method, it
is trivial to implement these methods as Python scripts so that the
authentication data comes from another source, particularly session
data.

Putting it in the session data should increase security slightly, since
the actual session data is not stored in a cookie but in the Zope
server; the cookie in the browser only contains a reference to that
data. Thus, it is more difficult for an eavesdropper to steal
authentication data (username and password) since this is only sent upon
login. It may be possible to hijack sessions (with or without this
patch); I don't know what safeguards there are against this.

I'm not on zope-cmf; please CC: me if you have any comments. Also, this
needs more testing by someone with familiarity with the guts of the
cookie crumbler, but it appears to work.

-- 
Andy Dustman         PGP: 0x930B8AB6
    @       .net     http://dustman.net/andy
"Cogito, ergo sum." -- Rene Descartes
"I yam what I yam and that's all what I yam." -- Popeye

--=-kKJi+6PiTpbuulmr6EuU
Content-Disposition: attachment; filename=CookieCrumbler-getAuthCookie.patch
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; name=CookieCrumbler-getAuthCookie.patch; charset=ISO-8859-15

--- CMFCore/CookieCrumbler.py.orig	Sat Aug  3 22:42:22 2002
+++ CMFCore/CookieCrumbler.py	Sun Aug 25 22:19:22 2002
@@ -84,6 +84,9 @@
         except: pass
         try: del req.environ[name]
         except: pass
+        try: self.getCookieMethod('expireAuthCookie',
+                                  self.defaultExpireAuthCookie)(req, name)
+        except: pass
=20
     # Allow overridable cookie set/expiration methods.
     security.declarePrivate('getCookieMethod')
@@ -98,10 +101,17 @@
     def defaultExpireAuthCookie( self, resp, cookie_name ):
         resp.expireCookie( cookie_name, path=3D'/')
=20
+    security.declarePrivate('defaultGetAuthCookie')
+    def defaultGetAuthCookie( self, resp, cookie_name ):
+        return resp.cookies.get( cookie_name, None )
+
     security.declarePrivate('modifyRequest')
     def modifyRequest(self, req, resp):
         # Returns flags indicating what the user is trying to do.
=20
+        method =3D self.getCookieMethod( 'getAuthCookie'
+                                       , self.defaultGetAuthCookie )
+        ac =3D method( resp, self.auth_cookie )
         if req.__class__ is not HTTPRequest:
             return ATTEMPT_DISABLED
=20
@@ -137,9 +147,9 @@
                 self.delRequestVar(req, self.name_cookie)
                 self.delRequestVar(req, self.pw_cookie)
                 return ATTEMPT_LOGIN
-            elif req.has_key(self.auth_cookie):
+            elif ac:
                 # Copy __ac to the auth header.
-                ac =3D unquote(req[self.auth_cookie])
+                ac =3D unquote(ac)
                 req._auth =3D 'Basic %s' % ac
                 req._cookie_auth =3D 1
                 resp._auth =3D 1
@@ -192,8 +202,9 @@
     def unauthorized(self):
         resp =3D self._cleanupResponse()
         # If we set the auth cookie before, delete it now.
-        if resp.cookies.has_key(self.auth_cookie):
-            del resp.cookies[self.auth_cookie]
+        method =3D self.getCookieMethod( 'expireAuthCookie'
+                                       , self.defaultExpireAuthCookie )
+        method( resp, self.auth_cookie )
         # Redirect if desired.
         url =3D self.getLoginURL()
         if url is not None:
@@ -204,8 +215,9 @@
     def _unauthorized(self):
         resp =3D self._cleanupResponse()
         # If we set the auth cookie before, delete it now.
-        if resp.cookies.has_key(self.auth_cookie):
-            del resp.cookies[self.auth_cookie]
+        method =3D self.getCookieMethod( 'expireAuthCookie'
+                                       , self.defaultExpireAuthCookie )
+        method( resp, self.auth_cookie )
         # Redirect if desired.
         url =3D self.getLoginURL()
         if url is not None:

--=-kKJi+6PiTpbuulmr6EuU--