[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler
instead of CookieCrumbler
Jean-Marc Orliaguet
jmo at ita.chalmers.se
Tue Oct 12 13:20:10 EDT 2004
Simon Eisenmann wrote:
>On Tue, 2004-10-12 at 16:15 +0200, Jean-Marc Orliaguet wrote:
>
>
>
>>All you need to do is to set a _ZopeID cookie that you have stolen, login
>>(you are already logged in), and use the 'mail password' script to send
>>the password.
>>
>>
>
>Ok right thats a problem. But i think i can wrap the password in the
>session inside a special object which itself does some additional
>verification that this request really may access this session. Such
>additional checks could check the source IP address of the client for
>instance. Doing stuff like this would mean that the user needs to fake a
>HTTP request which is a bit more complex than just using the mail
>password script. How do you feel about this?
>
>
>Cheers,
> Simon
>
>
>
That is what RAMCacheCrumbler does by saving the username in a protected
object in the session (I borrowed the class from PluggableUserFolder).
Also I have added a condition to logout the currently logged on user if
another user logs in with the same username or/and the same ZopeID.
I am not planning to use RAMCacheCrumbler anywhere in production, this
is more like a prototype, it is more secure than SessionCrumbler, but
it's only relative since the password is saved in RAM.
Again you are trying to fix a hack based on flawed design (or a design
that was not meant to used under these circumstances), and it is not
going to get any more secure than it is, but I do understand your point.
Regards /JM
More information about the Zope-CMF
mailing list