[Zope-PAS] CookieAuthHelper.

Chris McDonough chrism at plope.com
Thu Nov 18 14:00:11 EST 2004


I see.  I'm not sure of the best way to fix this and still have it
operate properly.  Nobody else sees this "double auth" issue, huh?

On Thu, 2004-11-18 at 19:50 +0100, Florent Guillaume wrote:
> I think the idea is that it's bad to leave secret information left in
> the request after it's been used during traversal, in case the request
> object is later seen by an untrusted party.
> 
> CookieCrumbler basically does:
>                 self.delRequestVar(req, self.name_cookie)
>                 self.delRequestVar(req, self.pw_cookie)
> 
> Florent
> 
> > Index: CookieAuthHelper.py
> > ===================================================================
> > RCS
> > file:
> > /home/dixonhughes_com/cvs_efr/Products/PluggableAuthService/plugins/CookieAuthHelper.py,v
> > retrieving revision 1.2
> > diff -u -r1.2 CookieAuthHelper.py
> > --- CookieAuthHelper.py 8 Nov 2004 09:11:37 -0000       1.2
> > +++ CookieAuthHelper.py 14 Nov 2004 03:47:15 -0000
> > @@ -117,8 +117,8 @@
> >                  creds['login'] = login
> >                  creds['password'] = password
> > 
> > -                request.set('__ac_name', '')
> > -                request.set('__ac_password', '')
> > +                #request.set('__ac_name', '')
> > +                #request.set('__ac_password', '')
> > 
> >          if creds:
> >              creds['remote_host'] = request.get('REMOTE_HOST', '')
> > 
> > The problem was that the request.set puts "__ac_name" and
> > "__ac_password" (both as blank strings) into the REQUEST.other
> > dictionary.  I have no idea why this is done.
> 
> 
> 



More information about the Zope-PAS mailing list