[John Morton]
John Morton writes:
I was looking at the code for the admin cgi in search of a good cookie authentication system, and found out that it was doing this,
Thanks for letting us know -- this certainly gave me some incentive to have a look at what those pesky cookies really are all about. I guess Barry'll have to whip up a new release (1.0rc2?) shortly...
Any better suggestions?
A quick glance at the WWW security FAQ suggests a good solution:
As the extra complexity added by having to save session state on the server side (i.e. have Mailman keep track of session IDs) is rather large, and as Mailman isn't safe from package sniffing anyway (unless you're running things on a SSL server, in which case cookie sniffing shouldn't be of any trouble anyway), I settled for slightly less.
I have just commited a fix to CVS, based on these two new SecurityManager functions:
def MakeCookie(self):
client_ip = os.environ.get('REMOTE_ADDR') or '0.0.0.0'
issued = int(time.time())
expires = issued + mm_cfg.ADMIN_COOKIE_LIFE
secret = self.password
mac = hash(secret + client_ip + `issued` + `expires`)
return [client_ip, issued, expires, mac]
def CheckCookie(self, cookie):
if type(cookie) <> type([]):
return 0
if len(cookie) <> 4:
return 0
client_ip = os.environ.get('REMOTE_ADDR') or '0.0.0.0'
[for_ip, issued, expires, received_mac] = cookie
if for_ip <> client_ip:
return 0
now = time.time()
if not issued < now < expires:
return 0
secret = self.password
mac = hash(secret + client_ip + `issued` + `expires`)
if mac <> received_mac:
return 0
return 1Hopefully, this new cookie scheme will suffice -- if anyone do see flaws in it, don't hesitate to get in touch.
Harald