Skip to main content

Session based authentication for Zope

Project description

Overview

plone.session implements secure session management for Zope sites. It can be used directly, or be used as a base for custom session management strategies.

In its default configuration plone.sessions uses a secure cryptographic hash based on HMAC SHA-1 to authenticate sessions. The hash is generated using the users login name and a secret stored in the PAS plugin. This has several advantages over other session management systems:

  • passwords are not send to the server in a cookie on every request, as is done by the Cookie Auth Helper

  • it does not require any ZODB write for sessions, as is needed by the Session Crumbler. This allows it to scale very well.

  • it allows you to invalidate all existing authentication cookies for users by updating the secret.

Normally a session cookie is used to track sessions; that means that as long as a user keeps his browser open (and does not explicitly log out) the session remains opens. This can be changed by setting the cookie_lifetime property of the plugin to the number of seconds the cookie should remain valid after the moment of login.

Using plone.session

plone.session only takes care of handling sessions for already authenticated users. This means it can not be used stand-alone: you need to have another PAS plugin, such as the standard Cookie Auth Helper to take care of authentication.

After a user has been authenticated plone.session can take over via the PAS credentials update mechanism.

Using custom session authentication

plone.session delegates the generation and verification of sessions to an ISessionSource adapter. This adapter adapts the PAS plugin and implements four methods:

createIdentifier

Return an identifier for a userid. An identifier is a standard python string object.

verifyIdentifier

Verify if an identity corresponds to a valid session. Returns a boolean indicating if the identify is valid.

extractLoginName

Extract the login name from an identifier.

invalidateSession

Mark a session for a principal as invalid. A source may not support this, in which case it should return False.

plone.session ships with two example adapers: hash and userid.

The userid adapter is a trivial example which uses the userid as session identifier. This is very insecure since there is no form of verification at all. DO NOT USE THIS ADAPTER IN YOUR SITE!

The hash plugin creates a random secret string which is stored as an attribute on your plugin. It uses this secret to create a SHA1 signature for the user id with the secret as session identifier. This approach has several good qualities:

  • it allows us to verify that a session identifier was created by this site

  • there is no need to include passwords in the session idenfitier

  • it does not need to store anything in Zope itself. This means it works as-is in ZEO setups and can scale very well.

There are a few downsides to this approach:

  • if a users password is changed or disabled session identifiers will continue to work, making it hard to lock out users

Changelog

3.0a2 - 2009-11-13

  • Remove hash management UI which had been accidentally re-merged. [davisagli]

3.0a1 - 2009-04-04

  • Avoid deprecation warning for the sha module in Python 2.6. [hannosch]

  • Declare test dependencies in an extra. [hannosch]

  • Specify package dependencies. [hannosch]

  • Fixed the remaining tests to work with the new keyring backend. [hannosch]

  • Fixed a component lookup call in the HashSession source. [davisagli, hannosch]

  • Update default (hash) session source to use plone.keyring to manage the secrets. [wichert]

2.1 - February 4, 2009

  • Protect the setupSession call with the ManageUsers permission. Fixes possible privilege escalation. [maurits]

  • Make the cookie lifetime configurable. Patch by Rok Garbas. Fixes http://dev.plone.org/plone/ticket/7248 [wichert, garbas]

2.0 - July 8, 2008

1.2 - February 15, 2007

  • Use the binascii base64 methods to encode/decode the session cookie. This prevents newlines being inserted in long cookies. [wichert]

1.1 - September 11, 2007

  • Use the userid instead of the login name in session identifiers. This has the side-effect of working around a bug in PAS which caused us to mix up users when the login name used was an inexact match for another login name. [wichert]

1.0 - August 15, 2007

  • First stable release [wichert]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

plone.session-3.0a2.zip (26.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page