Re: [Zope] Cookie Crumbler
These days I'd use the PAS with plone.session, which despite its name works fine without Plone. https://pypi.python.org/pypi/plone.session Stefan On 09.02.2014, at 23:10, Jon Grange wrote: > Hello all > Returning to a zope 2 web application I built 5 or 6 years ago that now needs > some updating. Is cookie crumbler over SSL still a good and proper way to > secure a public facing website? -- Stefan H. Holek ste...@epy.co.at ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Am 09.02.2014 23:10, schrieb Jon Grange: > Hello all > Returning to a zope 2 web application I built 5 or 6 years ago that now > needs some updating. Is cookie crumbler over SSL still a good and proper > way to secure a public facing website? if I remember right CC used the Basic access auth string (base64 encoded login/password) as content for its auth-cookie, which is clearly not a nice practice. however, this could easily be changed to some sort of session key... Regards, Frank > > > ___ > Zope maillist - Zope@zope.org > https://mail.zope.org/mailman/listinfo/zope > ** No cross posts or HTML encoding! ** > (Related lists - > https://mail.zope.org/mailman/listinfo/zope-announce > https://mail.zope.org/mailman/listinfo/zope-dev ) > ___ Zope maillist - Zope@zope.org https://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - https://mail.zope.org/mailman/listinfo/zope-announce https://mail.zope.org/mailman/listinfo/zope-dev )
RE: [Zope] Cookie Crumbler/Authentication Question
Hi Dieter, Yes, I googled around a bit more and found this method. Works nicely: self.restrictedTraverse(['','login']).credentialsChanged(user,username,req.p assword) Thanks, Tom Palermo -Original Message- From: Dieter Maurer [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:44 PM To: Palermo, Tom Cc: 'zope@zope.org' Subject: Re: [Zope] Cookie Crumbler/Authentication Question Palermo, Tom wrote at 2006-4-18 22:29 -0400: >I am working on a site that uses CookieCrumbler for the authentication. >Part of this site allows a user to change their password via this line: >userfolder.manage_users(submit='Change', REQUEST=user_info). > >This works fine except after changing the password, the user is no >longer authenticated and an Unauthorized exception is raised. Is there >anyway to automatically keep the user logged in or re-authenticate them. Look at the CookieCrumblers "credentialChanged" method. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler/Authentication Question
Palermo, Tom wrote at 2006-4-18 22:29 -0400: >I am working on a site that uses CookieCrumbler for the authentication. Part >of this site allows a user to change their password via this line: >userfolder.manage_users(submit='Change', REQUEST=user_info). > >This works fine except after changing the password, the user is no longer >authenticated and an Unauthorized exception is raised. Is there anyway to >automatically keep the user logged in or re-authenticate them. Look at the CookieCrumblers "credentialChanged" method. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Dieter Maurer wrote:
Infor Gates wrote at 2006-1-4 20:14 -0800:
I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows version).
I could NOT figure out how to log out a user. I have simplified to the orginal logged_out form to this:
The "Cookie Crumber" has a "logout" method.
You should use it for the logout (and not try to emulate it yourself).
You can activate it via an URL of the form:
url_to_your_cookie_crumbler/logout
It will redirect to the "logout_page" (you can configure for
your "Cookie Crumbler".
Infor,
you can also do it with a python script like so: (I make a python
script into index_html and use it as a request clearing house):
if request.get('action_type') == 'LOGOUT':
context.cookie_authentication.logout()
I guess you can translate this into DTML with something like:
David
___
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Thank you for your patience. Please do pardon my ignorance - am still at learning the learning stage.ChDieter Maurer <[EMAIL PROTECTED]> wrote: Infor Gates wrote at 2006-1-5 14:11 -0800:>Yes, after reading the source code. However, my problem as I found out is that I do not know how to access the methods in CC from DTML. I am not well verse with Python (still learning though).Please, read my messages carefully!As "CookieCrumbler.logout" performs a redirect, it is usually betternot to call "logout" from a DTML method but activate it via an URL(e.g. via a "logout" link or a redirect).However, you can call the "CookieCrumbler" methods from DTMLlike you call any other method: Note again th at "logout" performs a redirect. You will usually notsee the result of your "DTML" page.> ...>Dieter Maurer <[EMAIL PROTECTED]> wrote: Infor Gates wrote at 2006-1-4 20:14 -0800:>>I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows version).>>I could NOT figure out how to log out a user. I have simplified to the orginal logged_out form to this:>>The "Cookie Crumber" has a "logout" method.>You should use it for the logout (and not try to emulate it yourself).>>You can activate it via an URL of the form:>>url_to_your_cookie_crumbler/logout>>It will redirect to the "logout_page" (you can configure for>your "Cookie Crumbler".>>>-- >Dieter >->Yahoo! Photos> Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.Yes, after reading the source code. However, my problem as I found out is that I do not know how to access the methods in CC from DTML. I am not well verse with Python (still learning though).Thank you.Dieter Maurer <[EMAIL PROTECTED]> wrote: Infor Gates wrote at 2006-1-4 20:14 -0800:>I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows version).>I could NOT figure out how to log out a user. I have simplified to the orginal logged_out form to this:The "Cookie Crumber" has a "logout" method.You should use it for the logout (and not try to emulate it yourself).You can activate it via an URL of the form:url_to_your_cookie_crumbler/logoutIt will redirect to the "logout_page" (you can config ure foryour "Cookie Crumbler".--> Dieter> > Yahoo! Photos >Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.-- Dieter Yahoo! DSL Something to write home about. Just $16.99/mo. or less___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Infor Gates wrote at 2006-1-5 14:11 -0800: >Yes, after reading the source code. However, my problem as I found out is >that I do not know how to access the methods in CC from DTML. I am not well >verse with Python (still learning though). Please, read my messages carefully! As "CookieCrumbler.logout" performs a redirect, it is usually better not to call "logout" from a DTML method but activate it via an URL (e.g. via a "logout" link or a redirect). However, you can call the "CookieCrumbler" methods from DTML like you call any other method: Note again that "logout" performs a redirect. You will usually not see the result of your "DTML" page. > ... >Dieter Maurer <[EMAIL PROTECTED]> wrote: Infor Gates wrote at 2006-1-4 20:14 >-0800: >>I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows >>version). >>I could NOT figure out how to log out a user. I have simplified to the >>orginal logged_out form to this: > >The "Cookie Crumber" has a "logout" method. >You should use it for the logout (and not try to emulate it yourself). > >You can activate it via an URL of the form: > >url_to_your_cookie_crumbler/logout > >It will redirect to the "logout_page" (you can configure for >your "Cookie Crumbler". > > >-- >Dieter > > > > >- >Yahoo! Photos > Ring in the New Year with Photo Calendars. Add photos, events, holidays, > whatever.Yes, after reading the source code. > However, my problem as I found out is that I do not know how to access the > methods in CC from DTML. I am not well verse with Python (still learning > though).Thank you.Dieter Maurer <[EMAIL > PROTECTED]> wrote: Infor > Gates wrote at 2006-1-4 20:14 -0800:>I have a trying time using Cookie > Crumbler 1.2 with Zope2.8.4 (windows version).>I could NOT figure out > how to log out a user. I have simplified to the orginal logged_out form to > this:The "Cookie Crumber" has a "logout" method.You should use it > for the logout (and not try to emulate it yourself).You can activate > it via an URL of the form: > url_to_your_cookie_crumbler/logoutIt will redirect to the > "logout_page" (you can configure foryour "Cookie Crumbler".-- > Dieter > > Yahoo! Photos >Ring in the New Year with href="http://us.rd.yahoo.com/mail_us/taglines/photos/*http://pa.yahoo.com/*http://us.rd.yahoo.com/mail_us/taglines/photos/evt=38087/*http://pg.photos.yahoo.com/ph//page?.file=calendar_splash.html&.dir=";>Photo > Calendars. Add photos, events, holidays, whatever. -- Dieter___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Yes, after reading the source code. However, my problem as I found out is that I do not know how to access the methods in CC from DTML. I am not well verse with Python (still learning though).Thank you.Dieter Maurer <[EMAIL PROTECTED]> wrote: Infor Gates wrote at 2006-1-4 20:14 -0800:>I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows version).>I could NOT figure out how to log out a user. I have simplified to the orginal logged_out form to this:The "Cookie Crumber" has a "logout" method.You should use it for the logout (and not try to emulate it yourself).You can activate it via an URL of the form:url_to_your_cookie_crumbler/logoutIt will redirect to the "logout_page" (you can configure foryour "Cookie Crumbler".-- Dieter Yahoo! Photos Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
Infor Gates wrote at 2006-1-4 20:14 -0800: >I have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows >version). >I could NOT figure out how to log out a user. I have simplified to the >orginal logged_out form to this: The "Cookie Crumber" has a "logout" method. You should use it for the logout (and not try to emulate it yourself). You can activate it via an URL of the form: url_to_your_cookie_crumbler/logout It will redirect to the "logout_page" (you can configure for your "Cookie Crumbler". -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
I found that my weakness is that I am DTML scripter. After printing the Cookie Crumbler source code, I need some help/advice as how to access the Cookie Crumbler methods or api from DTML. I have searched the Zope documents however have found none that can help.I would appreciate some advice or pointers.Thank you.Infor Gates <[EMAIL PROTECTED]> wrote: Dear zopistI have a trying time using Cookie Crumbler 1.2 with Zope2.8.4 (windows version).I could NOT figure out how to log out a user. I have simplified to the orginal logged_out form to this: logoutHowever, neither this nor the original logged_out dtml seems to work. Is it because I am using frames in my dtml that causes it or I am getting the concept of how Cookie Crumbler works?Thank you. Yahoo! Photos Ring in the New Year with Photo Calendars. Add photos, events, holidays, whatever.___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) Yahoo! DSL Something to write home about. Just $16.99/mo. or less___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Cookie Crumbler
I haven't used Cookie Crumbler, but I do use cookies for user authentication, and when I want to 'log out' a user I just write a 'false' value to the cookie, then when the authentication routine checks the cookie it gets an invalid value and the user is deemed 'unauthenticated/anonymous'. hth Jonathan - Original Message - From: Infor Gates To: zope@zope.org Sent: Wednesday, January 04, 2006 11:17 PM Subject: Fwd: [Zope] Cookie Crumbler Sorry for the typo error at the last sentence.However, neither this nor the original logged_out dtml seems to work.Is it because I am using frames in my dtml that causes it or I am getting the concept of how Cookie Crumbler works - WRONG ?Thank you.Note: forwarded message attached. Yahoo! DSL Something to write home about. Just $16.99/mo. or less ___Zope maillist - Zope@zope.orghttp://mail.zope.org/mailman/listinfo/zope** No cross posts or HTML encoding! **(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] cookie crumbler and error messages
paul hendrick wrote at 2005-11-21 14:44 +: >Hi, thanks for the reply. >I did what you asked and the error log produced these messages: > >Unauthorized: You are not authorized to access this >resource. Username and password are not correct. >Unauthorized: You are not allowed to access 'sql_select' in this context > >the sql_select error is because my .metadata file is denying requests to it >for users with a certain role. >no idea where to go from here i'm afraid There is another vital rule: whenever you see errors (more precisely "exception"s), you should look (and report) the associated traceback. It tells you where the exception occured. What we know so far: the request tried to access "sql_select" and did not have the required permission. The traceback will tell you where this happens and this may help us to understand why it happens. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] cookie crumbler and error messages
Hi, thanks for the reply. I did what you asked and the error log produced these messages: Unauthorized: You are not authorized to access this resource. Username and password are not correct. Unauthorized: You are not allowed to access 'sql_select' in this context the sql_select error is because my .metadata file is denying requests to it for users with a certain role. no idea where to go from here i'm afraid cheers, Paul On 11/18/05, Dieter Maurer <[EMAIL PROTECTED]> wrote: Paul Hendrick wrote at 2005-11-16 17:28 +:>I'm using CookieCrumbler on a project which sits in / on one server,>and /project in another.>I'd like to secure a part of the site through *.metadata files so that >users of a certain role can't access it. this is done and works well.>however, when they try to access a part of the site which is secured,>they're:>a- given a log in popup prompt which they don't have the details for. What is "a log in popup prompt"?Do you mean the browser login dialog?Usually, you should get the cookie crumblers login form.If you get instead a browser login dialog, this means that something went wrong. Often, it means that the URL locatedobject itself was not protected but it accesses a protected object.Reconfigure your "error_log" object (ZMI, "Root Folder") to not ignore "Unauthorized" exceptions.Reproduce the error and look what the "error_log" might tellyou about it.--Dieter-- cheers, paul web : http://www.currentlyfabulous.com/blog ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] cookie crumbler and error messages
Paul Hendrick wrote at 2005-11-16 17:28 +: >I'm using CookieCrumbler on a project which sits in / on one server, >and /project in another. >I'd like to secure a part of the site through *.metadata files so that >users of a certain role can't access it. this is done and works well. >however, when they try to access a part of the site which is secured, >they're: >a- given a log in popup prompt which they don't have the details for. What is "a log in popup prompt"? Do you mean the browser login dialog? Usually, you should get the cookie crumblers login form. If you get instead a browser login dialog, this means that something went wrong. Often, it means that the URL located object itself was not protected but it accesses a protected object. Reconfigure your "error_log" object (ZMI, "Root Folder") to not ignore "Unauthorized" exceptions. Reproduce the error and look what the "error_log" might tell you about it. -- Dieter ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] cookie crumbler and error messages
Paul Hendrick wrote: Hi all, I'm using CookieCrumbler on a project which sits in / on one server, and /project in another. ...that could do with more explanation :-S I'd like to secure a part of the site through *.metadata files so that users of a certain role can't access it. This is _not_ the correct way to do this. Are you using Plone or something similarly silly? What are you trying to do? What lead you to believe .metadata files are the way to go? however, when they try to access a part of the site which is secured, they're: a- given a log in popup prompt which they don't have the details for. and You've likely managed to make the login form unaccessable to anonymous users... cheers, Chris -- Simplistix - Content Management, Zope & Python Consulting - http://www.simplistix.co.uk ___ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
