Ticket #13700 (new PLIP)

Opened 3 years ago

Last modified 3 years ago

Change to session plugin on zope acl_users replacement

Reported by: ramon Owned by:
Priority: minor Milestone: 5.0
Component: Unknown Version:
Keywords: Cc:

Description (last modified by ramon) (diff)

Proposer: Ramon Navarro Bosch

Seconder: The Security Team

Motivation

The actual credentials_cookie_auth plugin that is installed when CMFPlone deals with weak cookies that may lead to a security problem.

Proposal & Implementation

On PlonePAS install the zope root acl_user user_folder is removed to set the PlonePAS acl_users. At that moment instead of activating the credentials_cookie_auth we need to setup the session plugin.

Deliverables

new release of Products.PlonePAS

Risks

Work is done on  https://github.com/plone/Products.PlonePAS/tree/plip13700-sessionroot

Change History

comment:1 Changed 3 years ago by ramon

  • Type changed from Bug to PLIP
  • Description modified (diff)
  • Milestone changed from 4.x to 5.0

comment:2 Changed 3 years ago by ramon

  • Description modified (diff)

comment:3 Changed 3 years ago by davisagli

So this is about making the Zope user folder use the same session mechanism as the Plone-level user folder? Sounds like a good idea to me.

comment:4 Changed 3 years ago by thet

+1.

while reproducing your proposal by following code paths i felt that the way, PluggableAuthService replaces the acl_users folder with another one, migriating users and passwords, seems quite bulky. the whole authentication story could need a full rewrite. but thats a total different story...

Note: See TracTickets for help on using tickets.