[Zope-dev] Re: [patch] More secure cookie crumbler?

Tres Seaver tseaver at zope.com
Tue Apr 13 01:34:28 EDT 2004 

Stuart Bishop wrote:
> 
> On 12/04/2004, at 10:39 PM, Shane Hathaway wrote:
> 
>> On Mon, 12 Apr 2004, Chris Withers wrote:
>>
>>> I think the attached patch (against CookieCrumbler 1.1) makes
>>> CookieCrumbler a little more secure.
>>
>>
>> Your patch won't work with multiple ZEO app servers.  It appears to store
>> the tokens in a module global.  Do not apply it.
> 
> 
> I've attached some similar code we are using. Instead of
> patching CookieCrumbler, it extends it and is drop-in compatible.
> We are stuffing the auth credentials into the SESSION, so it will
> work with ZEO if your SESSION machinery copes (either using  server
> affinity or your session storage is mounted by the ZEO clients from
> a central storage).
> 
> I was going to pack this up and release it as a product under
> BSD or MIT licence, but I either forgot or came up with a technical
> reason not to. Either way, I'm having memory issues :-)
> 
> Does this look worth releasing as a separate product?

I haven't looked at the code.  Do you have actual experience using core 
sessions over ZEO?  I pondered that recently for a client, and fell back 
to using a hacked together version of Anthony Baxter's SQLSession 
product, instead.

SessionStorage would work either as a separate product, or as a knob for 
the CookieCrumbler, I think.  If ZPL is an adequate license, why don't 
you check it in there?

>>> PS: To make cookie auth properly secure, you really need to be working
>>> over SSL only
>>
>>
>> I agree--SSL is required.  Let's not give people a false
>> sense of security by changing CookieCrumbler.
> 
> 
> Unfortunately it causes performance to blow. We compromise by
> having the auth form on the SSL server, but the rest of the
> application on raw HTTP. This at least reduces the window
> that a replay attack can be used. It would be possible to
> tie the auth credential down to a particular IP address,
> but that is entering the world of diminishing returns and
> incompatibilities (think ISP's with farms of proxies - is this
> still a problem nowadays?).

Yes;  not only that, but AOL users change their IPs seemingly at random 
during a single session.

Tres.
-- 
===============================================================
Tres Seaver                                tseaver at zope.com
Zope Corporation      "Zope Dealers"       http://www.zope.com

More information about the Zope-Dev mailing list