Below is a first draft of a proposal to cover the features discussed in
this thread. I have bundled a number of loosely related items into the
proposal. I can split them out to separate proposals if that is considered
a better approach.

There are three items which are not resolved in the high level of the
proposal. However, I believe that there is enough detail in the proposal
at the moment to elicit feedback on the Proposal scope and approach.

If this high-level is considered acceptable to the list, I will do an
implementation and submit a detailed proposal to this list, the Wiki and





Session Credentials API Enhancements

        o       Support remote IP restricted logins
        o       Support domain specific logins
        o       Encrypt Password
        o       Application overriding credentials from request
        o       Tracking of 'logged in' users


Require an API for logging in a user automatically. The mailing list
identified a number of other related requirements. Some items were added
or expanded due to usefulness in Zope2.


Secure authentication scenarios require access to be limited to a single
IP Address or set of IP Addresses. The Session Credential plugin should
take responsibility for extracting and returning the authentication IP

Some scenarios use a 'domain' and provide the login within that specific
domain (e.g. a company and users belonging to that company).

For security reasons the password should be encrypted while in the session

The application needs an API so that it can set the credentials for a
session programmatically, i.e. as part of the sign up process.

For monitoring purposes, it is useful to know who is currently 'logged
in'. For strict security is important to logout idle users.


1.      IP Extraction

Extract the IP Address from the credentials and store it. Return the IP
Address in the dictionary from extractCredentials().

The value from request._environ['HTTP_X_FORWARDED_FOR'] will be used if
present.  otherwise request._environ['REMOTE_ADDR'].

This requires a change to ISessionCredentials to provide getIP().

2.      Domain

The Session Credentials can optionally provide a 'domain' value. Where the
domain is used the domain should be stored in the client using a cookie,
so that it can default.

The domain functionality should be enabled via the UI.

TODO:   Need to rename the domain functionality as the term domain is used
for IP specific security in Zope2.

3.      Encrypt password

The Session Credentials should use of an encrypter class to encrypt the
password if configured. The class is used to encrypt the password when
saved and decrypts it when returning the password to the application (via

The encrypter class shall support the following Interface:

        class IEncryptPassword(Interface):
                def encrypt(login, password):
                        """Return an encrypted version of the password"""
                def decrypt(login, encrypted):
                        """Return a decrypted version of the password"""

TODO:   Determine the mechanism for locating/configuring this class.

TODO:   Identify a mechanism for recovering if you use this mechanism with
no users with encrypted passwords.

4.      Application Overriding Login Credentials

The ICredentialsPlugin.extractCredentials method will have two new
parameter, overrides and mode.

overrides will provide a dictionary containing ('login', 'password' and
'domain') which will override the same values in the request object if
they are present in the request object.

mode will define what to do with the parameters if session credentials are
already stored:

        STORED_REQUEST_MODE:    If stored values, used them otherwise use the
request (current functionality)
        REQUEST_STORED_MODE:    Try for parameters in the request. If they are 
present use stored values if they are available.
        REQUEST_ONLY_MODE:      Ignore values if they are stored. Use the 
request only.

The class will use a full set of credentials from either the request or
storage. It will not mix them.

An adapter will be provided to make access to the login simpler. This
should be part of The adapter shall adapt a request

        class ILogin(Interface):
                """Provide support for logging in directly"""

                def login(overrides, mode=REQUEST_ONLY):
                        """Login using credentials provided in the overrides
                        parameter. {'login':'', 'password': '', 'domain': ''}

                        If values are not provided in the dictionary, the 
                        is searched
                def setCredentials(overrides, mode=REQUEST_ONLY):
                        """Store the credentials for the current session. Do not
                        login the current transaction (interaction)"""

5.      Tracking of Logged in Users

The credentials data, stored for the session shall have two new values
stored to support tracking of this information:

        o       extractTime
        o       accessTime

The extractTime shall be the time that the credentials were actually

The accessTime shall be the last time that the credentials were recovered.
For performance reasons, the accessTime updates may be disabled. It shall
have a granularity of 60 seconds so that the session data is not updated
unnecessarily frequently.

5a.     Report of logged in users

A new adapter shall be written which can trawl the session records in the
session store and locate records for logged in users. The adapter shall
return a list of all logged in users, (login, extractTime and accessTime).

A UI change will provide a simple view on logged in users.

5b.     Idle time out

If the access time is being tracked, the SessionCredential plugin can
easily implement an idle timeout. This effectively does a server side
logout of users who have not accessed the system for a configured

There would be a UL change to enable Idle timeout.


> Ha David
>> Betreff: Re: [Zope-dev] Re: [Zope3-Users] How do I
>> automatically login a user
>> Thanks Jim for doing this. Actually, the domain is something
>> I have been looking for also. These other features are really
>> nice. I am hoping this
>>   can be worked into something like z3c.authentication for
>> generic use.
>> Hoping roger is following this.
> Yes, yes, just found no time to pickup this. But it's on the
> top of my 1000 things to do list ;-)
> Note:
> I started to make progress with z3c.authenticator.
> This will become a replacement for z3c.authentication.simple
> Does anybody think we will need a migration script?
> Regards
> Roger Ineichen
> _____________________________
>> Regards,
>> David
>> Jim Fulton wrote:
>> >
>> > Let's move this discussion to zope-dev.
>> >
>> > On Apr 2, 2008, at 5:36 AM, kevin gill wrote:
>> >> Please check in the code to the sandbox and I will have a
>> look at it.
>> >> The coding looks straight-forward, but choosing how to
>> work it into
>> >> the existing  components.
>> >>
>> >> I will look at the code and come back with questions.
>> >
>> >
>> > I just checked 2 files, session.txt and, into
>> >
>> >
>> >
>> > These provide several features, most of which are of particular
>> > interest
>> > here:
>> >
>> > - An api to save session credentials independent of login,
>> >
>> > - saving sha-encoded passwords,
>> >
>> > - logout api
>> >
>> > - having an optional additional credential of a user domain,
>> >   (probably not of general interest)
>> >
>> > Jim
>> >
>> > --
>> > Jim Fulton
>> > Zope Corporation
>> >
>> >
>> > _______________________________________________
>> > Zope-Dev maillist  -
>> >
>> > **  No cross posts or HTML encoding!  ** (Related lists
>> > -
>> > )
>> >
>> _______________________________________________
>> Zope3-users mailing list
> _______________________________________________
> Zope3-users mailing list
> --
> ** Email Scanned by Elive's Virus Scanning Service -
> **

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to