Ticket #7896 (confirmed Bug)
PlonePAS ExtendedCookieAuthHelper doesn't play well with other plugins
Reported by: | dreamcatcher | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | 4.x |
Component: | General | Version: | |
Keywords: | plonepas, cookies, authentication, plugins | Cc: |
Description
Use case:
- The cookie auth plugin is used to get the login form and for extractCredentials.
- A different plugin is used for authentication. The authenticateCredentials plugin returns a different (user_id, login) than the one extracted by cookie auth plugin.
- The plugin from plone.session is used for updateCredentials.
What happens:
- Returns 'user@…' as the login (what was typed in the form)
- Returns 'user' for the login (because only the user part was used for authentication).
- The login() method of ExtendedCookieAuthPlugin reaches into the request and looks for __ac_username (HARDCODED!) to fetch the login, so it returns what was typed into the form.
At this point, the login fails, because the session plugin calls _verifyUser(), and that will *fail* with the typed-in login. It does work with the login used for authentication though.
The solution is to use _extractUserIds() method instead, which will use the 'login' that was used for authentication. Patch attached.
Attachments
Change History
Changed 8 years ago by dreamcatcher
-
attachment
plonepas-cookie-handler.diff
added
comment:1 Changed 8 years ago by wichert
With that change the whole authentication happens twice, which can double the load on authentication servers and is likely to trip DoS-protection on them (I've seen RADIUS-server trip on that very often). I'ld like to see an alternative solution that prevents that.
comment:2 Changed 7 years ago by hannosch
- Component changed from Login and registration to Infrastructure
Note: See
TracTickets for help on using
tickets.
Patch for Extended Auth Cookie Handler