[ZCM] [ZC] 527/ 3 Comment "SESSION and authentication"

Collector: Zope Bugs, Features, and Patches ... zope-coders@zope.org
Mon, 19 Aug 2002 17:10:27 -0400 

Issue #527 Update (Comment) "SESSION and authentication"
 Status Rejected, Zope/feature+solution medium
To followup, visit:
  http://collector.zope.org/Zope/527

==============================================================
= Comment - Entry #3 by mcdonc on Aug 19, 2002 5:10 pm

I agree with you that some folks will leave themselves open for this.  But you can't really legislate against stupidity.  ;-) 

There's no way really to know when a user logs out using the default Zope user folder, as it uses HTTP basic auth, which doesn't have a logout "verb".  Additionally, there are dozens of user folder implementations that are not part of the Zope core and which cannot be uniformly modified to expire a session at logout time.

The "thing to do" if the risk is perceived so high as to warrant it would be to switch to a session-based user folder in the default Zope config, but this is a fairly big switch and will likely not happen in Zope 2.X for backwards-compatibility reasons.

So there is indeed a risk.  We are choosing to mitigate it by explaining the risks in http://www.zope.org/Documentation/Books/ZopeBook/2_6Edition/Sessions.stx rather than by enforcing it across many different pieces of software.

Hope this makes sense,

- C


________________________________________
= Reject - Entry #2 by mcdonc on Aug 19, 2002 9:01 am

 Status: Pending => Rejected

> = Request - Entry #1 by Anonymous User on Aug 19, 2002 8:54 am
> 
> the REQUEST.SESSION is not "cleared" when you log out (or log in).
> In fact, the session cookie should change when you log out or log in.

In Zope, unlike other systems, sessions are not intimately tied to authentication.  It is the programmer's responsibility to clear the contents of the session when a user logs out.  That said, there is at least one Session User Folder on Zope.org out there that might help with this.
________________________________________
= Request - Entry #1 by Anonymous User on Aug 19, 2002 8:54 am

the REQUEST.SESSION is not "cleared" when you log out (or log in).
In fact, the session cookie should change when you log out or log in.

Application can store user dependant informations that can still be accessed when the user logs out. Those informations can be critical to the application (for security reasons... those SESSION informations can be cached calculations or just private elements).

Solution: whenever the authentication status changes, expire the session cookie (flush the browser id cookie)
==============================================================