[Zope] UserDb extensions

[Oleg Machulski]

"Ross J. Reedstrom" wrote:
> 
> Hey zopeists -
> I've already sent a note to the DC guys about this, but they're all busy
> having fun at the Expo, so I thoungt I'd let the rest of you know, as
> well. I'v been using the USerDb unsupported product, and like it. However,
> I'v been bothered by seeing my users cleartext passwords in the db, so I
> added crypt hashed storage to the UserDb product. This will allow the use
> of unix 'passwd' style passwords (also used by apache for .htpasswd files)
> in the database. It also gives a modicum of security if you db backend
> is on a different machine from the Zope install, so the passwords don't
> travel around in the clear in the SQL queries.

You mentioned problems, related to password storage, but seems, there
are
security problems in UserDb package, which are related to interaction
between Zope and client browser:

1) "__ac" cookie, used in cookie-based authetication contains just 
  base64-encoded string "<username>:<password>", and using such cookies
  is similar to transferring passwords through the net in plain-text
form :-)

  Seems that it would be much better to use a kind of
  hash function as a cookie string (MD5 for example)

2) As I understood from the UserDB code, __ac cookie never expires
  (it is expired manually in some cases), just because it does not
contain 
  timestamp (either last hit or moment of cookie creation). 

So, as I see, the right solution may be the following:
cookie must contain username and timestamp in plainext form 
(or base64encoded, does not matter) and hash function from 
"username:password:timestamp".


-- 
Best regards

        Oleg Machulski
----------------------------------------------------
http://www.geocities.com/SiliconValley/Network/7671/
mailto:oleg_machulski@geocities.com