[Zope-dev] Re: [patch] More secure cookie crumbler?

Mon, 12 Apr 2004 22:34:41 -0700

Stuart Bishop wrote:

On 12/04/2004, at 10:39 PM, Shane Hathaway wrote:

On Mon, 12 Apr 2004, Chris Withers wrote:

I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.



Your patch won't work with multiple ZEO app servers.  It appears to store
the tokens in a module global.  Do not apply it.



I've attached some similar code we are using. Instead of
patching CookieCrumbler, it extends it and is drop-in compatible.
We are stuffing the auth credentials into the SESSION, so it will
work with ZEO if your SESSION machinery copes (either using  server
affinity or your session storage is mounted by the ZEO clients from
a central storage).

I was going to pack this up and release it as a product under
BSD or MIT licence, but I either forgot or came up with a technical
reason not to. Either way, I'm having memory issues :-)

Does this look worth releasing as a separate product?

I haven't looked at the code. Do you have actual experience using core sessions over ZEO? I pondered that recently for a client, and fell back to using a hacked together version of Anthony Baxter's SQLSession product, instead.

SessionStorage would work either as a separate product, or as a knob for the CookieCrumbler, I think. If ZPL is an adequate license, why don't you check it in there?

PS: To make cookie auth properly secure, you really need to be working
over SSL only



I agree--SSL is required.  Let's not give people a false
sense of security by changing CookieCrumbler.



Unfortunately it causes performance to blow. We compromise by
having the auth form on the SSL server, but the rest of the
application on raw HTTP. This at least reduces the window
that a replay attack can be used. It would be possible to
tie the auth credential down to a particular IP address,
but that is entering the world of diminishing returns and
incompatibilities (think ISP's with farms of proxies - is this
still a problem nowadays?).

Yes; not only that, but AOL users change their IPs seemingly at random during a single session.

Tres.
--
===============================================================
Tres Seaver                                [EMAIL PROTECTED]
Zope Corporation      "Zope Dealers"       http://www.zope.com


_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope )

Reply via email to