[Zope-PAS] Re: [Plone-developers] Re: Plugin for PluggableUserFolder
tseaver at zope.com
Mon Oct 11 08:56:59 EDT 2004
Jean-Marc Orliaguet wrote:
> Tres Seaver wrote:
>> Jean-Marc Orliaguet wrote:
>>> There was a dicussion earlier on the list (I don't remember which
>>> one) about implementing a more secure cookie crumbler.
>>> Just for information: I have updated the KerberosIdentification
>>> plugin for PluggableUserFolder (basically an external authentication
>>> plugin) to force it to not store the password in '__ac' in a cookie
>>> (not even in the Zope session as SessionCrumbler does). So the
>>> password is only used once, i.e. when the user logs in, and then it
>>> is not used or stored anymore during the session. Hence there is no
>>> risk that the password be seen in any way: i.e. through a core dump,
>>> unencrypted session w/ ZEO, etc...
>>> The information about authenticated users (similar to a ticket
>>> containing the username and the ZopeID) is saved in a RAM cache so it
>>> is possible to know how many users are logged on simultaneously, or
>>> to implement an auto-logout function, etc. or to prevent a same user
>>> from being logged on from several sessions (as it is by default in
>>> this implementation).
>>> It won't work with ZEO though unless the session is bound to a same
>>> zope server for a given period of time.
>>> To clear the password I had to remove CookieCrumbler and implement
>>> the cookie management part in the plugin instead.
>>> Here is the readme:
>>> And the code:
>>> I am also working on a RAMCacheCrumbler that stores the __ac in RAM,
>>> and which is faster than SessionCrumbler (see
>>> Now I would like to make it work without storing the __ac in RAM. Has
>>> anyone had any experience with this?
>>> I feel that the best solution is to dump the crumbler and implement
>>> everything in the userfolder.
>>> Has anyone managed to write a cookiecrumbler / sessioncrumbler /
>>> whatevercrumbler that does not store the password anywhere?
>> Note that there is a PAS-specific list, 'zope-pas at zope.org'. I am
>> CC'ing the zope-pas list so that the existence of the thread is noted
>> in its archives.
> I have uploaded a 0.1 release of a RAMCacheCrumbler if anyone is
> interested in testing it.
> The __ac string is stored in a ram cache (protected) and the user name
> is saved in a protected class in the session (cf PluggableUserFolder).
> It would be safer if the __ac string with the password was not stored
> anywhere, but it is still safer than storing it in a cookie
> (CookieCrumbler) or in the session (SessionCrumbler).
> There is no mechanism to expire entries in the cache yet but the cache
> size does not grow since every user cannot have more than one entry in
> it (new entries replace old ones).
> PS for plone users: some skins need to be updated to remove hardcoded
> references to 'cookie_authentication' and refer to
> 'ramcache_authentication' instead (or simply create a RAMCacheCrumbler
> called 'cookie_authentication').
Please continue to include zope-pas at zope.org in this disucssion (in
fact, I would recommend trimming *all* the other groups out; interested
parties should be willing to move to the more focused list).
Tres Seaver tseaver at zope.com
Zope Corporation "Zope Dealers" http://www.zope.com
More information about the Zope-PAS