[Mailman-Developers] Cookies

Scott scott@chronis.pobox.com
Sat, 30 May 1998 14:23:02 -0400 

After i released the admin patches, i realized that the way the
cookies were put together was causing some problems.  i rewrote the
function isAuthenticated to work more like the same function in
private. 

this change addresses much of what you are saying.

i haven't posted about this till now because i've been quite busy with
other things and unsure about the best way to submit a patch to a
patch to a patch ;)

On Sat, May 30, 1998 at 03:41:04AM -0700, John Viega wrote:
| I installed Scott's patches for confirmation and admin logins (thank
| god for ediff-buffers).  I have a couple of questions mainly for
| Scott, but I think other people might be interested in discussing
| them.
| 
| First, I don't know what the expiration time for cookies is, but the
| cookie didn't go away when I shut down my browser.  Do you think
| that's good behavior?  

no.

| I'd like to not be implicitly logged in if
| someone else starts up my browser.  Also, I've seen some sites that
| log people off automatically after 15 mins of inactivity on that site.
| Do you think that's a good idea?

The cookies will not allow anyone to submit changes after the timeout
period (defaulting to 20 minutes).  I'm not sure how to portably force
people to be logged off in any other way.

| 
| Second, if you don't have cookies on, changes don't get made.  You get
| sent back to the login screen, and when you log back in, everything is
| the same.  Should cookies really be required?  

With the changed isAuthenticated function, an admin can enter the
password on each screen to make changes, but will still have to log
into each section separately :(.

| Something that could be
| done to offer similar functionality yet not require cookies would be
| to have an "enter your password" box after the initial login, and put
| the password in the proper field as default text.  While that may not
| be incredibly secure, it's not much worse than sending a plaintext
| password via httpd the first time only (although the password will be
| in the page source).
| 
| Also, perhaps there should be a way to explicitly log out?

that sounds like a good idea.  

my rewrite of the isAuthenticated function in the admin cgi follows:

scott

SECRET="monty"

def isAuthenticated(list, password=None, SECRET="SECRET"):
    import base64, md5
    if password is not None:  # explicit login
        try:
            list.ConfirmAdminPassword(password)
        except mm_err.MMBadPasswordError:
            AddErrorMessage(doc, 'Error: Incorrect admin password.')
            return 0
        token = md5.new(SECRET + list_name + SECRET).digest()
        token = base64.encodestring(token)
        token = string.strip(token)
        c = Cookie.Cookie()
        cookie_key = list_name + "-admin"
        c[cookie_key] = token
        c[cookie_key]['expires'] = mm_cfg.ADMIN_COOKIE_LIFE
        path = list.GetScriptURL("admin")
        path = path[string.find(path, "://") + 3:]
        path = path[string.find(path, "/"):]
        c[cookie_key]["path"] = path
        print c                         # Output the cookie
        return 1
    if os.environ.has_key('HTTP_COOKIE'):
        c = Cookie.Cookie( os.environ['HTTP_COOKIE'] )
        if c.has_key(list_name + "-admin"):
            inp = base64.decodestring(c[list_name + "-admin"].value)
            check = md5.new(SECRET+list_name+SECRET).digest()
            if inp == check:
                return 1
            else:
                return 0
    return 0