[Zope-PAS] [RFC] Extending CookieAuthHelper

Chris Withers chris at simplistix.co.uk
Tue Nov 16 07:18:46 EST 2004


(belately sending again in the hope that the list doesn't bounce it again)

Hi Jens,

Jens Vagelpohl wrote:
> In a nutshell, credentials should not be stored in the cookie itself. 
> The proposed changes involve storing a simple key, or "ticket", in the 
> cookie and storing the credentials in the user's session under that 
> ticket key.

I think Lennart Regebro already has some nice code to do this bit...
However, it would be nice if this plugin could optionially use a storage
mechanism other than the user's session, in cases where even more
security is required (being able to specify that the cookie should only
be sent by https, hashing with the user's ip address, etc)

> Also, the lifespan of the cookie should be configurable on the plugin 
> and there should be a "logout" method that can be called from user 
> space/untrusted code to effect cookie expiration.

The place on the server should also have the same expiration code. ie:
when you expire the cookie, the server side session should also be
removed, so even if someone has stolen a cookie, they can't use it...

> Like I said, this could be done by extending the CookieAuthHelper or by 
> basing a new plugin on it. What are peoples' preferences or suggestions?

I'd prefer to see CookieAuthHelper get better, rather than addign a new
one...

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk




More information about the Zope-PAS mailing list