After i released the admin patches, i realized that the way the cookies were put together was causing some problems. i rewrote the function isAuthenticated to work more like the same function in private.
this change addresses much of what you are saying.
i haven't posted about this till now because i've been quite busy with other things and unsure about the best way to submit a patch to a patch to a patch ;)
On Sat, May 30, 1998 at 03:41:04AM -0700, John Viega wrote: | I installed Scott's patches for confirmation and admin logins (thank | god for ediff-buffers). I have a couple of questions mainly for | Scott, but I think other people might be interested in discussing | them. | | First, I don't know what the expiration time for cookies is, but the | cookie didn't go away when I shut down my browser. Do you think | that's good behavior?
no.
| I'd like to not be implicitly logged in if | someone else starts up my browser. Also, I've seen some sites that | log people off automatically after 15 mins of inactivity on that site. | Do you think that's a good idea?
The cookies will not allow anyone to submit changes after the timeout period (defaulting to 20 minutes). I'm not sure how to portably force people to be logged off in any other way.
| | Second, if you don't have cookies on, changes don't get made. You get | sent back to the login screen, and when you log back in, everything is | the same. Should cookies really be required?
With the changed isAuthenticated function, an admin can enter the password on each screen to make changes, but will still have to log into each section separately :(.
| Something that could be | done to offer similar functionality yet not require cookies would be | to have an "enter your password" box after the initial login, and put | the password in the proper field as default text. While that may not | be incredibly secure, it's not much worse than sending a plaintext | password via httpd the first time only (although the password will be | in the page source). | | Also, perhaps there should be a way to explicitly log out?
that sounds like a good idea.
my rewrite of the isAuthenticated function in the admin cgi follows:
scott
SECRET="monty"
def isAuthenticated(list, password=None, SECRET="SECRET"): import base64, md5 if password is not None: # explicit login try: list.ConfirmAdminPassword(password) except mm_err.MMBadPasswordError: AddErrorMessage(doc, 'Error: Incorrect admin password.') return 0 token = md5.new(SECRET + list_name + SECRET).digest() token = base64.encodestring(token) token = string.strip(token) c = Cookie.Cookie() cookie_key = list_name + "-admin" c[cookie_key] = token c[cookie_key]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE path = list.GetScriptURL("admin") path = path[string.find(path, "://") + 3:] path = path[string.find(path, "/"):] c[cookie_key]["path"] = path print c # Output the cookie return 1 if os.environ.has_key('HTTP_COOKIE'): c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) if c.has_key(list_name + "-admin"): inp = base64.decodestring(c[list_name + "-admin"].value) check = md5.new(SECRET+list_name+SECRET).digest() if inp == check: return 1 else: return 0 return 0