While this is not an issue in the turbogears code, it will bite you if you
use
alternative login facilities (CAS, LDAP, openid) in TurboGears 2.1.X
applications.
These plugins tend to use auth_tkt to store the identity in a cookie.
In repoze.who-1.0.1[89]-py2.6.egg/repoze/who/plugins/auth_tkt.py:identify:
Any who_tokens are joined into a string and passed to a cookie creation
if not isinstance(tokens, basestring):
tokens = ','.join(tokens)
if not isinstance(who_tokens, basestring):
who_tokens = ','.join(who_tokens)
old_data = (userid, tokens, userdata)
new_data = (who_userid, who_tokens, who_userdata)
if old_data != new_data or (self.reissue_time and
( (timestamp + self.reissue_time) < time.time() )):
ticket = auth_tkt.AuthTicket(
self.secret,
who_userid,
remote_addr,
tokens=who_tokens,
user_data=who_userdata,
cookie_name=self.cookie_name,
secure=self.secure)
new_cookie_value = ticket.cookie_value()
The creation of the ticket is then done here:
/Paste-1.7.5.1/paste/auth/auth_tkt.AuthTicket.__init__
def __init__(self, secret, userid, ip, tokens=(), user_data='',
time=None, cookie_name='auth_tkt',
secure=False):
self.secret = secret
self.userid = userid
self.ip = ip
self.tokens = ','.join(tokens)
The token list is joined again basically destroying the cookie token list.
I believe this is fixed in repose.who version 2, but TG2.X applications are
using repoze.who 1.0.18 or 1.0.19
It does not appear that repoze.who version 1 is matained anymore, nor are
there many update to Paste.. so I
am not sure where to send this error. Maybe moving to repoze.who 2 would
be the solution?
--
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/turbogears/-/BU3csMxcAwkJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en.
