[Zope-dev] encrypted _ac_name & _ac_password

Declan Shanaghy declan at shanaghy.com
Mon Dec 27 02:03:00 EST 2004


I was wondering if my solution to the problem outlined
below
would be a useful inclusion into the main CMF code
tree?


I solved this by encrypting the __ac_name and
__ac_password values in the URL and then hacked
CookieCrumbler.py to decrypt them before it sets the
cookie.


The general idea is that the user would setup the path
to a method called decrypt as a property of the cookie
crumbler.  If this property is non NULL the cookie
crumbler calls it to decrypt the values b4 setting the
cookie, in an instance where the value is not
decrypted the decryption mechanism should return the
value passed to it.



--On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800
Declan Shanaghy <declan at shanaghy.com> wrote:

> I have set up a portal of shopping sites.
> Each merchant we support has their own domain set
up.
>
> e.g.
>
> http://www.some-merchant.com
>
> Seeing as they are shopping sites certain pages have
> to be handled by SSL.
>
> Due to SSL limitations only 1 SSL domain+certificate
> can exist per ip, and we only have 1 ip. Therefore
my
> solution is that for non SSL pages the merchant can
> use their own unique domain name, but all SSL pages
> will be redirected to
>
> https://merchantname.portal.com and an SSL
certificate
> is setup with a CN of *.portal.com
>
> A problem arises when switching between domains like
> this.  The login cookie is lost.  Curently i do a
> redirect between domains and include __ac_name and
> __ac_password arguments in the URL so the user stays
> logged in, but this causes the username and password
> to be displayed in the address bar in plain text.
>
> I'd like to secure this more.
>
> Is there any way that i could
>
> A - Encrypt __ac_name and __ac_password values?
>
> or
>
> B - Set the cookie for both domains so name and
> password dont have to be transferred?
>
>



More information about the Zope-Dev mailing list