I installed Scott's patches for confirmation and admin logins (thank god for ediff-buffers). I have a couple of questions mainly for Scott, but I think other people might be interested in discussing them.
First, I don't know what the expiration time for cookies is, but the cookie didn't go away when I shut down my browser. Do you think that's good behavior? I'd like to not be implicitly logged in if someone else starts up my browser. Also, I've seen some sites that log people off automatically after 15 mins of inactivity on that site. Do you think that's a good idea?
Second, if you don't have cookies on, changes don't get made. You get sent back to the login screen, and when you log back in, everything is the same. Should cookies really be required? Something that could be done to offer similar functionality yet not require cookies would be to have an "enter your password" box after the initial login, and put the password in the proper field as default text. While that may not be incredibly secure, it's not much worse than sending a plaintext password via httpd the first time only (although the password will be in the page source).
Also, perhaps there should be a way to explicitly log out? I can't get logged out, even by turning off cookies!
John
After i released the admin patches, i realized that the way the cookies were put together was causing some problems. i rewrote the function isAuthenticated to work more like the same function in private.
this change addresses much of what you are saying.
i haven't posted about this till now because i've been quite busy with other things and unsure about the best way to submit a patch to a patch to a patch ;)
On Sat, May 30, 1998 at 03:41:04AM -0700, John Viega wrote: | I installed Scott's patches for confirmation and admin logins (thank | god for ediff-buffers). I have a couple of questions mainly for | Scott, but I think other people might be interested in discussing | them. | | First, I don't know what the expiration time for cookies is, but the | cookie didn't go away when I shut down my browser. Do you think | that's good behavior?
no.
| I'd like to not be implicitly logged in if | someone else starts up my browser. Also, I've seen some sites that | log people off automatically after 15 mins of inactivity on that site. | Do you think that's a good idea?
The cookies will not allow anyone to submit changes after the timeout period (defaulting to 20 minutes). I'm not sure how to portably force people to be logged off in any other way.
| | Second, if you don't have cookies on, changes don't get made. You get | sent back to the login screen, and when you log back in, everything is | the same. Should cookies really be required?
With the changed isAuthenticated function, an admin can enter the password on each screen to make changes, but will still have to log into each section separately :(.
| Something that could be | done to offer similar functionality yet not require cookies would be | to have an "enter your password" box after the initial login, and put | the password in the proper field as default text. While that may not | be incredibly secure, it's not much worse than sending a plaintext | password via httpd the first time only (although the password will be | in the page source). | | Also, perhaps there should be a way to explicitly log out?
that sounds like a good idea.
my rewrite of the isAuthenticated function in the admin cgi follows:
scott
SECRET="monty"
def isAuthenticated(list, password=None, SECRET="SECRET"): import base64, md5 if password is not None: # explicit login try: list.ConfirmAdminPassword(password) except mm_err.MMBadPasswordError: AddErrorMessage(doc, 'Error: Incorrect admin password.') return 0 token = md5.new(SECRET + list_name + SECRET).digest() token = base64.encodestring(token) token = string.strip(token) c = Cookie.Cookie() cookie_key = list_name + "-admin" c[cookie_key] = token c[cookie_key]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE path = list.GetScriptURL("admin") path = path[string.find(path, "://") + 3:] path = path[string.find(path, "/"):] c[cookie_key]["path"] = path print c # Output the cookie return 1 if os.environ.has_key('HTTP_COOKIE'): c = Cookie.Cookie( os.environ['HTTP_COOKIE'] ) if c.has_key(list_name + "-admin"): inp = base64.decodestring(c[list_name + "-admin"].value) check = md5.new(SECRET+list_name+SECRET).digest() if inp == check: return 1 else: return 0 return 0
On Sat, May 30, 1998 at 02:23:02PM -0400, Scott wrote:
| I'd like to not be implicitly logged in if | someone else starts up my browser. Also, I've seen some sites that | log people off automatically after 15 mins of inactivity on that site. | Do you think that's a good idea?
The cookies will not allow anyone to submit changes after the timeout period (defaulting to 20 minutes). I'm not sure how to portably force people to be logged off in any other way.
Well, what I'm talking about is the same thing, but if you press "submit" after the cookie runs out, you'll get an error message saying, "we've already logged you out due to inactivity", instead of just giving the login screen.
Also, I noticed that it looks like the edithtml pages don't share the same cookie (and, in fact, aren't using cookies at all at the moment...)
John
On Sat, May 30, 1998 at 01:28:29PM -0700, John Viega wrote: | On Sat, May 30, 1998 at 02:23:02PM -0400, Scott wrote: | > | > | I'd like to not be implicitly logged in if | > | someone else starts up my browser. Also, I've seen some sites that | > | log people off automatically after 15 mins of inactivity on that site. | > | Do you think that's a good idea? | > | > The cookies will not allow anyone to submit changes after the timeout | > period (defaulting to 20 minutes). I'm not sure how to portably force | > people to be logged off in any other way. | | Well, what I'm talking about is the same thing, but if you press | "submit" after the cookie runs out, you'll get an error message | saying, "we've already logged you out due to inactivity", instead of | just giving the login screen.
how do you tell the difference between a cookie running out and no cookie being submitted in the first place?
| Also, I noticed that it looks like the edithtml pages don't share the | same cookie (and, in fact, aren't using cookies at all at the moment...)
true. it seems like they should more for the sake of uniformity than anything else, as there's no reason to hide publicly accessible html pages from people. this shouldn't be too hard to do with the existing isAuthenticated function from the admin cgi. i don't think i'll have time to that before i go away June 1-10, but i'm willing to change edithtml when i get back if no one's done it yet.
scott
On Sat, May 30, 1998 at 04:37:38PM -0400, Scott wrote:
how do you tell the difference between a cookie running out and no cookie being submitted in the first place?
I think by checking to see if there are extra CGI parameters passed? If so, you can assume they were still on your page.
| Also, I noticed that it looks like the edithtml pages don't share the | same cookie (and, in fact, aren't using cookies at all at the moment...)
true. it seems like they should more for the sake of uniformity than anything else, as there's no reason to hide publicly accessible html pages from people. this shouldn't be too hard to do with the existing isAuthenticated function from the admin cgi. i don't think i'll have time to that before i go away June 1-10, but i'm willing to change edithtml when i get back if no one's done it yet.
Would it be possible to keep 1 central auth checking function? I also noticed that admindb needs a similar mechanism. Also, when we add a site administrator's UI, we'll need to use the same functionality again...
John
On Sat, May 30, 1998 at 01:42:42PM -0700, John Viega wrote: | On Sat, May 30, 1998 at 04:37:38PM -0400, Scott wrote: | > | > how do you tell the difference between a cookie running out and no | > cookie being submitted in the first place? | | I think by checking to see if there are extra CGI parameters passed? | If so, you can assume they were still on your page.
that's a good idea.
| > | Also, I noticed that it looks like the edithtml pages don't share the | > | same cookie (and, in fact, aren't using cookies at all at the moment...) | > | > true. it seems like they should more for the sake of uniformity than | > anything else, as there's no reason to hide publicly accessible html | > pages from people. this shouldn't be too hard to do with the existing | > isAuthenticated function from the admin cgi. i don't think i'll have | > time to that before i go away June 1-10, but i'm willing to change | > edithtml when i get back if no one's done it yet. | | Would it be possible to keep 1 central auth checking function? I also | noticed that admindb needs a similar mechanism. Also, when we add a | site administrator's UI, we'll need to use the same functionality | again...
i'm sure it would be possible, and thought that maybe such things should go in a general mailman cgi library, maybe in modules/mm_cgilib.py? i'm not sure where the best place for that is.
scott
participants (2)
-
John Viega
-
Scott