Skip to content. | Skip to navigation

Personal tools


You are here: Home / Tips / Sessions and Cookies

Sessions and Cookies

Plone 的 session 由 session_data_manager 工具程式管理,它能處理帳號登入、失效時間,搭配 mod_auth_tkt 可以管理單一帳號登入等功能。

zope.session: Grok/Zope is creating a cookie for every user, even the anonymous user. serve anonymous users from the NGINX cache. But if there is a cookie, then NGINX does not cache, it passes it through to my servers, and that overloads the ZOPE servers.

調整要求登入的間隔時間 修改 Cookie : adapter vs subscriber

Remove jquery.cookie from plone-logged-in bundle's stub_js_modules


To disable all automatic CSRF protection, set the environment variable PLONE_CSRF_DISABLED value to true.

Cross Site Request Forgery

By default, the (authentication session) cookie lifetime is the browser session. However, once a hacker has stolen the cookie value, the cookie lifetime does no longer matter. What still matters is how long the authentication session id (the cookie's value) remains valid. This controls how long the hacker can make use of the stolen value.

Plone protects these authentication session ids (against forgery, not against replay) via a digest created by a secret key. In order to keep authentication session ids valid when the key changes, it uses of key ring (from "plone.keyring"). To create the digest, the most recent key is used, for verification all keys in the ring are considered. The key ring is controled by an "IKeyManager" utility. It has methods "clear" (delete all keys) and "rotate" (create new key, push oldest key from the ring, if necessary). Calling "clear", invalidates all authentication session ids; calling "rotate" may invalidate some old authentication session ids.

The external setup, refers to calling "rotate" (or "clear") periodically to limit the lifetime of authentication session ids.

Philip Bauer: Never ever expose your zope-root or login using the zope-admin-Account via http since the zope-admins password is only uuencoded in a cookie

Login and Logout

Plone 至少用到 6個 login form,例如 login-form 與 failsafe_login_form 等。

logout 之後再使用自製的 login form,所以要從 裡確認。

Login Entry Point

Post Login Action

Post Logout Action


統計 Authenticated 和 Anonymous Guest 數量

Allow Anonymous Users to Edit Their Own Contents: redomino.tokenrole

# Code Snippet
sdm = self.context.session_data_manager
# Create Session if it's not created
session = sdm.getSessionData(create=True)

Plone Session

Products.Sessions domain setting

cookie validity timeout setting and refresh interval

removing session crumbler from a plone 2.x


Single Sign On (SSO)

透過 plone.session 預設就具備 single sign on 功能,例如結合 Apache 的 mod_auth_tkt 來管理帳號認證。雖然 plone.session 以 Plone 命名,但在 Plone 以外的場合,例如 Zope 也能適用。


Netsight case study

Central Authentication Service (CAS)

使用外部資料庫來登入 mod_auth_tkt

Auto Login in Plone3

Tracking logins and logged in time

JavaScript evercookie