Ticket #7896 (confirmed Bug)

Opened 8 years ago

Last modified 4 years ago

PlonePAS ExtendedCookieAuthHelper doesn't play well with other plugins

Reported by: dreamcatcher Owned by:
Priority: minor Milestone: 4.x
Component: General Version:
Keywords: plonepas, cookies, authentication, plugins Cc:

Description

Use case:

  1. The cookie auth plugin is used to get the login form and for extractCredentials.
  1. A different plugin is used for authentication. The authenticateCredentials plugin returns a different (user_id, login) than the one extracted by cookie auth plugin.
  1. The plugin from plone.session is used for updateCredentials.

What happens:

  1. Returns 'user@…' as the login (what was typed in the form)
  1. Returns 'user' for the login (because only the user part was used for authentication).
  1. The login() method of ExtendedCookieAuthPlugin reaches into the request and looks for __ac_username (HARDCODED!) to fetch the login, so it returns what was typed into the form.

At this point, the login fails, because the session plugin calls _verifyUser(), and that will *fail* with the typed-in login. It does work with the login used for authentication though.

The solution is to use _extractUserIds() method instead, which will use the 'login' that was used for authentication. Patch attached.

Attachments

plonepas-cookie-handler.diff Download (1.6 KB) - added by dreamcatcher 8 years ago.
Patch for Extended Auth Cookie Handler

Change History

Changed 8 years ago by dreamcatcher

Patch for Extended Auth Cookie Handler

comment:1 Changed 8 years ago by wichert

With that change the whole authentication happens twice, which can double the load on authentication servers and is likely to trip DoS-protection on them (I've seen RADIUS-server trip on that very often). I'ld like to see an alternative solution that prevents that.

comment:2 Changed 7 years ago by hannosch

  • Component changed from Login and registration to Infrastructure

comment:3 Changed 4 years ago by kleist

  • Status changed from new to confirmed
  • Version set to 3.3
  • Component changed from Infrastructure to General

Still an issue in Plone 4?

comment:4 Changed 4 years ago by hannosch

  • Version 3.3 deleted
  • Milestone changed from 3.3.x to 4.x

Most likely this is still an issue.

Note: See TracTickets for help on using tickets.