Ticket #13700 (new PLIP)
Change to session plugin on zope acl_users replacement
Reported by: | ramon | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 5.0 |
Component: | Unknown | Version: | |
Keywords: | Cc: |
Description (last modified by ramon) (diff)
Proposer: Ramon Navarro Bosch
Seconder: The Security Team
Motivation
The actual credentials_cookie_auth plugin that is installed when CMFPlone deals with weak cookies that may lead to a security problem.
Proposal & Implementation
On PlonePAS install the zope root acl_user user_folder is removed to set the PlonePAS acl_users. At that moment instead of activating the credentials_cookie_auth we need to setup the session plugin.
Deliverables
new release of Products.PlonePAS
Risks
Work is done on https://github.com/plone/Products.PlonePAS/tree/plip13700-sessionroot
Change History
comment:1 Changed 3 years ago by ramon
- Type changed from Bug to PLIP
- Description modified (diff)
- Milestone changed from 4.x to 5.0
comment:3 Changed 3 years ago by davisagli
So this is about making the Zope user folder use the same session mechanism as the Plone-level user folder? Sounds like a good idea to me.
comment:4 Changed 3 years ago by thet
+1.
while reproducing your proposal by following code paths i felt that the way, PluggableAuthService replaces the acl_users folder with another one, migriating users and passwords, seems quite bulky. the whole authentication story could need a full rewrite. but thats a total different story...