[Catalog-sig] pythonpackages.com beta security

Alex Clark aclark at aclark.net
Fri Jul 20 04:39:28 CEST 2012


Earlier in the year I announced the pythonpackages.com alpha[1] and 
there was some helpful discussion in that thread about security. We are 
now in beta and since then, I've

- totally abandoned the idea of using pypissh
- investigated using PyPI oauth[3], but gave up
- settled on saving users credentials in an encrypted session cookie[4]

While not ideal, I'm fairly happy with the fact that it works and is 
"secure enough". However I'd very much appreciate some additional eyes 
on the implementation. The (very simple) pyramid code is:

     if 'submit' in request.POST:
         username = request.POST['username']
         password = request.POST['password']
         cookieval = {'username': username, 'password': password}
         request.session[config.COOKIE_PYPI] = cookieval

And the beta is available to anyone who signs up here: 
http://pythonpackages.com/signup, then signs in with their GitHub 
account. You can then go here:

- https://pythonpackages.com/manage/account/pypi

and fill in your PyPI credentials (or bogus credentials for testing) 
then verify you cannot easily extract the account info from the 
beaker.session.id cookie

Thanks for any feedback,


[1] http://mail.python.org/pipermail/catalog-sig/2012-January/004152.html

[2] http://pypi.python.org/pypi/pypissh/1.4

[3] https://bitbucket.org/loewis/pypi/changeset/b034fda5bef9

[4] http://beaker.readthedocs.org/en/latest/sessions.html#encryption

Alex Clark · http://pythonpackages.com/ONE_CLICK_RELEASE

More information about the Catalog-SIG mailing list