[Zope-CMF] cookies and CMF login

Kelley, Sean SKelley@ci.santa-rosa.ca.us
Fri, 30 Aug 2002 15:17:01 -0700 

This looks like it will work.  I am not to up on cookie spoofing or how
someone would do it...If someone with access to sensitive info where
instructed to logout each time they were done with the site it would nullify
the cookie problem assuming they did this -correct?

> -----Original Message-----
> From: Tres Seaver [mailto:tseaver@zope.com]
> Sent: Friday, August 30, 2002 1:15 PM
> To: Kelley, Sean
> Cc: 'zope-cmf@zope.org'
> Subject: Re: [Zope-CMF] cookies and CMF login
> 
> 
> On Fri, 2002-08-30 at 11:40, Kelley, Sean wrote:
> > I am in a windows environment and I am currently running Zope for an
> > Intranet on a Windows box which I may port to Linux.  Right 
> now, people join
> > the CMF but I want to use cookies so that they do not have 
> to always login.
> > Once they have logged in, I would like them to be able to 
> come back and
> > still be logged in a month from now.  I want to obviously 
> remember the user
> > name and password and do not want them to have to log in to 
> see the site as
> > that user.  I could use some sort of NT authentication, but 
> I want to keep
> > independent security from what my IS dept sets.
> > 
> > I have never used cookies.  How do I do this with CMF 1.3 
> and Zope 2.5.1?
> > Has anyone done this?  If not, is there a how to that would 
> help me figure
> > it out?
> 
> First, the obligatory warning:  this is a *really* bad idea if your
> authenticated users have access to *any* privileged / sensitive
> information, as that data will be vulnerable to any user who 
> can steal /
> spoof the cookie.
> 
> If, having read that warning, you still need to use persistent
> authentication cookies, the CMF does provide you a pistol;  
> you do have
> to strap it into your boottop yourself, as follows:
> 
>   - In the 'control' skins folder, select the 'setAuthCookie'
>     PythonScript.
> 
>   - Customize this script (e.g., to your 'custom' skin folder).
> 
>   - Edit the script to include the correct expiration, e.g.::
> 
>       resp.setCookie( cookie_name, cookie_value, path='/'
>                     , expires='Tue, 31-Dec-2099' ) # or whatever
> 
> I never told you this, so please don't complain when you lose 
> your toes.
> 
> Tres.
> -- 
> ===============================================================
> Tres Seaver                                tseaver@zope.com
> Zope Corporation      "Zope Dealers"       http://www.zope.com
>