[Zope] CoreSessionTracking-based LoginMethod for LoginManager
Chris McDonough
chrism@zope.com
Wed, 15 Aug 2001 10:57:15 -0400
Andy Gimblett wrote:
>
>
> > > - The CST documentation mainly talk about CST as a way of tracking
> > > anonymous sessions, but I see no reason why it couldn't be used
> > > in this way too...?
> >
> > Well... one reason is that there is no failsafe access control on
> > session data objects (the token key is the only thing required to grab
> > hold of a session data object and all of its contents via DTML).
>
> Nuts - hadn't thought of that.
>
> > As a result, the data that is stored in a session data object would
> > itself need to be encrypted in some way for it to be "secured".
> > Encrypting it assumes some sort of shared key, so you're back to the
> > original problem with a layer of indirection. :-(
>
> OK... So how about the LoginMethod has the key as a property, defined
> when it's created (heck, even chosen at random and never visible to any
> user). Then the raw data from the SessionDataManager is useless, 'cos
> only the LoginMethod knows the key, but the LoginMethod can decode it
> and decide if they're logged in or not - right?
That works.
> Or am I missing something - is this still insecure?
It's as secure as the key shared by the login method and the object in
the session data.
> > Safe authentication is a hard problem. The sessioning machinery might
> > help in some way, but it's not an answer in and of itself.
>
> *nods* - I think I'd still like to use it, because it's a nice way to
> organise things. Putting any meaningful data on the client side gives
> me heebie-jeebies.
Yeah, although it's really the same thing in this case. Encrypting the
user info with a shared key and storing it in a cookie isn't really all
that much less secure that storing the user info in a session data
object. Although I guess it could be argued that in practice, it's more
secure, because folks need to know how to ask the session data object
for the encrypted user info.
> Of course, I'm assuming that CST includes checks to guard against
> cookie-hijacking. :-)
Um... maybe. What kind of checks did you have in mind? ;-)
--
Chris McDonough Zope Corporation
http://www.zope.org http://www.zope.com
""" Killing hundreds of birds with thousands of stones """