Shane Hathaway wrote:

I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.


Your patch won't work with multiple ZEO app servers. It appears to store the tokens in a module global. Do not apply it.

Well, that's a little harsh. The default methods will only work on setups where there's at most one ZEO client accepting web requests for each user.


However, all you have to do is drop 3 ZSQL-methods-filtereted-through-python-scripts or python-scripts-using-a-session-data-container and it works across any number of ZEO clients accepting web requests for any user.

PS: To make cookie auth properly secure, you really need to be working
over SSL only

I agree--SSL is required. Let's not give people a false sense of security by changing CookieCrumbler.

That was the reason for the long NB/PS at the end of the email.
The patch does still prevent the Browser seeing the password of the user, and reduces the chances of session hijacking. With normal cookie crumbler, if you snoop a session, you can keep using it until the user changes their password. With the patch, at longest it'll be until the app server is restarted, but more likely the 20 minute session expirey time on the server and, if the session was being using actively at the time it was snooped, until the user next requests a page.


For me, that's worth patching for, it's up to you if you want to include it in an offical CookieCrumbler release or not ;-)

cheers,

Chris

--
Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk


_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to