[Zope-CMF] Re: [CPS-devel] Plugin for PluggableUserFolder (was:
more secure cookie crumber)
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Thu Oct 7 08:58:50 EDT 2004
Lennart Regebro wrote:
> Hi!
>
> Jean-Marc Orliaguet wrote:
>
>> Has anyone managed to write a cookiecrumbler / sessioncrumbler /
>> whatevercrumbler that does not store the password anywhere?
>
>
> Yes, the CASIdentification.py plugin (available in v 2.5.0) uses the
> ProtectedAuthInfo class. This is just a simple class where the
> contents is not available from python scripts or templates.
>
> So CAS stores the username in that object and put's it in the session.
> If it's there, and it is the correct type (so you can't replace it
> with a fake object), the plugin returns that username as a valid user.
>
> Seems pretty safe.
What I was thinking of is this:
since users get authenticated once per session:
- is there any reason to store the password at all in a class or in a
cookie or in RAM or in the session when authentication has succeeded and
when this is done outside Zope (e.g. krb5, AD, ...)?
- why not give a ticket to the user that expires after some time (maybe
save it in a cookie) and have Zope trust the ticket?
Basically, even if the password is stored in the world's safest place,
why store it at all if it is not going to be used again during the session?
/JM
More information about the Zope-CMF
mailing list