plone.session 3.0b2

Session based authentication for Zope

Overview

plone.session implements secure session management for Zope sites.

In its default configuration plone.session uses an HMAC SHA-256 secure cryptographic hash to authenticate sessions. The hash is generated using the users login name and a secret stored in the PAS plugin. Otherwise, the cookie format is identical to that of Apache’s mod_auth_tkt. For single sign on with the original mod_auth_tkt or another compatible implementation, set the mod_auth_tkt property to true. This invokes an MD5 based double hashing scheme. You will need to use the same secret across all servers.

This has several advantages over other session management systems:

• passwords are not sent to the server in a cookie on every request, as is done by the Cookie Auth Helper

• it does not require any ZODB write for sessions, as is needed by the Session Crumbler. This allows it to scale very well.

• it allows you to invalidate all existing authentication cookies for users by updating the secret.

• The cookie is only valid for the period specified by the timeout property.

There are some downsides to this approach:

• if a users password is changed or disabled session identifiers will continue to work, making it hard to lock out individual users.

• a user must have cookies enabled.

A session cookie is used to track sessions; that means that as long as a user keeps his browser open (and does not explicitly log out) the session remains open until the timout limit is reached. This can be changed by setting the timeout property of the plugin to the number of seconds the cookie should remain valid after the moment of login.

tktauth.py implements the core mod_auth_tkt functionality. It is self-contained and may be of useful to other frameworks.

Using plone.session

plone.session only takes care of handling sessions for already authenticated users. This means it can not be used stand-alone: you need to have another PAS plugin, such as the standard Cookie Auth Helper to take care of authentication.

After a user has been authenticated plone.session can take over via the PAS credentials update mechanism.

Configuration options

To enable logins between sites or other mod_auth_tkt systems, set the shared secret through the Zope Management Interface. You can manage the plone.keyring secrets through the same page.

The following properties may be set through the Properties tab:

Cookie validity timeout (in seconds)

After this, the session is invalid and the user must login again. Set to 0 for the cookie to remain valid indefinitely. Note that when the user folder has caching enabled, cookie validity may not be checked on every request.

Use mod_auth_tkt compatabile hashing algorithm

Compatibility with other implemenations, but at the cost of using a weaker hashing algorithm.

Cookie name

Which cookie to use. This must also be set on the credentials_cookie_auth plugin.

Cookie lifetime (in days)

This makes the cookie persistent across opening and closing the browser.

Cookie domain (blank for default)

A cookie may be shared across www1.example.com and www2.example.com by setting the cookie domain to .example.com.

Cookie path

What path the cookie is set valid (defaults to /.)

Changelog

3.0b2 - 2010-03-09

• Prefix setupSession with underscore, the method should be unavailable TTW. [elro]

• Catch a ComponentLookupError in authenticateCredentials. [elro]

3.0b1 - 2010-03-05

• Add back the hash management UI with added functionality to set shared secret. [elro]

• Add properties for cookie domain and ticket validity timeout. [elro]

• Use mod_auth_tkt format cookies to give us a session validity timeout. By default we use a more secure HMAC SHA-256 hashing scheme. An MD5 based scheme compatible with other mod_auth_tkt implementations is optional. [elro]

• Remove the source component indirection. [elro]

3.0a2 - 2009-11-13

• Remove hash management UI which had been accidentally re-merged. [davisagli]

3.0a1 - 2009-04-04

• Avoid deprecation warning for the sha module in Python 2.6. [hannosch]

• Declare test dependencies in an extra. [hannosch]

• Specify package dependencies. [hannosch]

• Fixed the remaining tests to work with the new keyring backend. [hannosch]

• Fixed a component lookup call in the HashSession source. [davisagli, hannosch]

• Update default (hash) session source to use plone.keyring to manage the secrets. [wichert]

2.1 - February 4, 2009

• Protect the setupSession call with the ManageUsers permission. Fixes possible privilege escalation. [maurits]

• Make the cookie lifetime configurable. Patch by Rok Garbas. Fixes http://dev.plone.org/plone/ticket/7248 [wichert, garbas]

2.0 - July 8, 2008

• Fix CSRF protection for managing server secrets via the Plone session plugin for PAS. Fixes http://dev.plone.org/plone/ticket/8176 [witsch]

1.2 - February 15, 2007

• Use the binascii base64 methods to encode/decode the session cookie. This prevents newlines being inserted in long cookies. [wichert]

1.1 - September 11, 2007

• Use the userid instead of the login name in session identifiers. This has the side-effect of working around a bug in PAS which caused us to mix up users when the login name used was an inexact match for another login name. [wichert]

1.0 - August 15, 2007

• First stable release [wichert]