Sessions and Cookies
Cookie 可以讓不同造訪的資訊串連,瀏覽器關閉也行,除非超過 expiration 時間,常用於減少重複登入或確認身份,每次 request 就能進行修改,容易客製化,但需要更注意安全性,因為客戶端的惡意程式可能會去攻擊它。Session 只在連線階段有效,例 PHP 預設時效是 1440秒,它的優缺點都在於,它存在於伺服端,當儲存過多資料可能造成系統效能問題,例如 ASP.NET 考慮用 TempData 來傳遞 request 之間的資訊,像 PHP5 發現客戶端停用 Cookie 時會轉用 URL 傳遞識別碼。混合式的作法,是讓 Cookie 儲存 Session ID (4K Byte) 但重要資料存於伺服端。
Cookie vs Local Storage vs Session Storage: 1, 2 允許 Tab 之間的資料傳遞 3 要求 Tab 之間的資料各自獨立 [ cookie 不能 cross-domain 但 localstorage 可以]
zope.session: Grok/Zope is creating a cookie for every user, even the anonymous user. serve anonymous users from the NGINX cache. But if there is a cookie, then NGINX does not cache, it passes it through to my servers, and that overloads the ZOPE servers.
調整要求登入的間隔時間 修改 Cookie : adapter vs subscriber
Remove jquery.cookie from plone-logged-in bundle's stub_js_modules 記住上次的確認
cookie issue Set Zope CookieCrumbler Cookie in Python Script
import requests rssn = requests.session() res = rssn.post("http://xxxxxxxx", data=payload) res2 = rssn.get("http://xxxxxxxx", headers=head)
CSRF
To disable all automatic CSRF protection, set the environment variable PLONE_CSRF_DISABLED
value to true
.
By default, the (authentication session) cookie lifetime is the browser session. However, once a hacker has stolen the cookie value, the cookie lifetime does no longer matter. What still matters is how long the authentication session id (the cookie's value) remains valid. This controls how long the hacker can make use of the stolen value.
Plone protects these authentication session ids (against forgery, not against replay) via a digest created by a secret key. In order to keep authentication session ids valid when the key changes, it uses of key ring (from "plone.keyring"). To create the digest, the most recent key is used, for verification all keys in the ring are considered. The key ring is controled by an "IKeyManager" utility. It has methods "clear" (delete all keys) and "rotate" (create new key, push oldest key from the ring, if necessary). Calling "clear", invalidates all authentication session ids; calling "rotate" may invalidate some old authentication session ids.
The external setup, refers to calling "rotate" (or "clear") periodically to limit the lifetime of authentication session ids.
Philip Bauer: Never ever expose your zope-root or login using the zope-admin-Account via http since the zope-admins password is only uuencoded in a cookie
Login and Logout
Plone 至少用到 6個 login form,例如 login-form 與 failsafe_login_form 等。
logout 之後再使用自製的 login form,所以要從 logged_out.pt 裡確認。
Login Entry Point
Post Login Action
Post Logout Action
Products.LoginLockout
統計 Authenticated 和 Anonymous Guest 數量
Allow Anonymous Users to Edit Their Own Contents: redomino.tokenrole
# Code Snippet sdm = self.context.session_data_manager # Create Session if it's not created session = sdm.getSessionData(create=True)
Plone Session
Products.Sessions domain setting
cookie validity timeout setting and refresh interval
removing session crumbler from a plone 2.x
Single Sign On (SSO)
透過 plone.session 預設就具備 single sign on 功能,例如結合 Apache 的 mod_auth_tkt 來管理帳號認證。雖然 plone.session 以 Plone 命名,但在 Plone 以外的場合,例如 Zope 也能適用。
OpenSSO SAML for SSO collective.saml2
Central Authentication Service (CAS)
http://www.washington.edu/webinfo/case/zope/
使用外部資料庫來登入 mod_auth_tkt
http://plone.293351.n2.nabble.com/setAuthCookie-question-td1354998.html
Tracking logins and logged in time
session logout https://auth0.com/docs/api-auth/which-oauth-flow-to-use https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2