[Zope-CMF] Re: [Plone-developers] Re: Plugin for PluggableUserFolder (was: more secure cookie crumber)

Jean-Marc Orliaguet jmo at ita.chalmers.se
Sun Oct 10 11:50:33 EDT 2004


Tres Seaver wrote:

> Jean-Marc Orliaguet wrote:
>
>>
>> Hi!
>>
>> There was a dicussion earlier on the list (I don't remember which 
>> one) about implementing a more secure cookie crumbler.
>>
>> Just for information: I have updated the KerberosIdentification 
>> plugin for PluggableUserFolder (basically an external authentication 
>> plugin) to force it to not store the password in '__ac' in a cookie 
>> (not even in the Zope session as SessionCrumbler does). So the 
>> password is only used once, i.e. when the user logs in, and then it 
>> is not used or stored anymore during the session. Hence there is no 
>> risk that the password be seen in any way: i.e. through a core dump, 
>> unencrypted session w/ ZEO, etc...
>>
>> The information about authenticated users (similar to a ticket 
>> containing the username and the ZopeID) is saved in a RAM cache so it 
>> is possible to know how many users are logged on simultaneously, or 
>> to implement an auto-logout function, etc. or to prevent a same user 
>> from being logged on from several sessions (as it is by default in 
>> this implementation).
>> It won't work with ZEO though unless the session is bound to a same 
>> zope server for a given period of time.
>>
>> To clear the password I had to remove CookieCrumbler and implement 
>> the cookie management part in the plugin instead.
>>
>> Here is the readme:
>> https://sf.codex-se.org/project/shownotes.php?release_id=54
>>
>> And the code:
>> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/KerberosIdentification/?cvsroot=zope 
>>
>> https://sf.codex-se.org/download.php/52/KerberosIdentification1.1.tgz
>>
>> I am also working on a RAMCacheCrumbler that stores the __ac in RAM, 
>> and which is faster than SessionCrumbler (see 
>> http://cvs.codex-se.org/viewcvs/viewcvs.cgi/RAMCacheCrumbler/?cvsroot=zope). 
>>
>>
>> Now I would like to make it work without storing the __ac in RAM. Has 
>> anyone had any experience with this?
>> I feel that the best solution is to dump the crumbler and implement 
>> everything in the userfolder.
>>
>> Has anyone managed to write a cookiecrumbler / sessioncrumbler / 
>> whatevercrumbler that does not store the password anywhere?
>
>
> Note that there is a PAS-specific list, 'zope-pas at zope.org'.  I am 
> CC'ing the zope-pas list so that the existence of the thread is noted 
> in its archives.
>
> Tres.


Hi!

I have uploaded a 0.1 release of a RAMCacheCrumbler if anyone is 
interested in testing it.
https://sf.codex-se.org/project/showfiles.php?group_id=17&release_id=56

The __ac string is stored in a ram cache (protected) and the user name 
is saved in a protected class in the session (cf PluggableUserFolder). 
It would be safer if the __ac string with the password was not stored 
anywhere, but it is still safer than storing it in a cookie 
(CookieCrumbler) or in the session (SessionCrumbler).

There is no mechanism to expire entries in the cache yet but the cache 
size does not grow since every user cannot have more than one entry in 
it (new entries replace old ones).

PS for plone users: some skins need to be updated to remove hardcoded 
references to 'cookie_authentication' and refer to 
'ramcache_authentication' instead (or simply create a RAMCacheCrumbler 
called 'cookie_authentication').

/JM





More information about the Zope-CMF mailing list