Hi guys, I'm currently evaluation both pylons and TG2 as platform to port an existing ASP/vbscript based ecommerce application. The decision between pylons with custom components or TG2 depends on how much of the TG2 components can be used out of the box. One of these components is authentication.
The current cookie based authentication system uses two separate identification tickets to prevent cookie hijacking. A public ticket is used for the unencrypted part of the site. It is used for things like displaying a log-off link, recommended products and various other personalisations. A second secure ticket is used to track the user on the ssl encrypted part of the site. This system is secure because the secured ticket can't be sniffed on the unencrypted part of the site without breaking ssl. The tickets are random strings generated during authentication and stored in the user table. Depending on the uri the authentication function (user = authenticated_user()) uses either the public or secure ticket. Now back to TG2/Repoze.who, I understand that the the InsecureCookiePlugin uses one cookie to identify the user on both the encrypted and secure site which isn't safe (hey, what's in the name). Setting the cookie to secure disables all user tracking on the public site which is also unacceptable. As I understand it, the AuthTktCookiePlugin methods sends the userid clear over the wire. A salted md5 hash is used to prevent tampering with this userid. The problem with this method is that a sniffer can use bruteforce/rainbowtables to obtain the salt (it's the only unkown). Secondly skipping trough the AuthTktCookiePlugin code i don't see it setting the username/password fields in the identiy map (only "repoze.who.userid"). From the documentation and code I understand that a IdentifierPlugin needs to return/set a login/password combination to work with the SQLAuthenticatorPlugin in tgext.authorization. Can it be that this identifier plug-in doesn't work in combination with the SQLAuthenticatorPlugin? So that leaves me with the question how to do secure cookie authentication in TG2? Should I implement my own IdentifierPlugin and AuthenticatorPlugin to support this usecase? If so, can some one point me into the right direction how to configure TG2 app to use these custom plug-in? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "TurboGears Trunk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/turbogears-trunk?hl=en -~----------~----~----~----~------~----~------~--~---
