Skip to content. | Skip to navigation

Personal tools


You are here: Home / Tips / Sessions and Cookies

Sessions and Cookies

Session 在連線期間維護識別碼,它可以透過 Cookie 儲存或是經由 URL 傳遞。Plone 的 session 由 session_data_manager 工具程式管理,它能處理帳號登入、失效時間,搭配 mod_auth_tkt 可以管理單一帳號登入等功能。

Cookie 可以讓不同造訪的資訊串連,瀏覽器關閉也行,除非超過 expiration 時間,常用於減少重複登入或確認身份,每次 request 就能進行修改,容易客製化,但需要更注意安全性,因為客戶端的惡意程式可能會去攻擊它。Session 只在連線階段有效,例 PHP 預設時效是 1440秒,它的優缺點都在於,它存在於伺服端,當儲存過多資料可能造成系統效能問題,例如 ASP.NET 考慮用 TempData 來傳遞 request 之間的資訊,像 PHP5 發現客戶端停用 Cookie 時會轉用 URL 傳遞識別碼。混合式的作法,是讓 Cookie 儲存 Session ID (4K Byte) 但重要資料存於伺服端。

Cookie vs Local Storage vs Session Storage: 1, 2 允許 Tab 之間的資料傳遞 3 要求 Tab 之間的資料各自獨立 [ cookie 不能 cross-domain 但 localstorage 可以]

zope.session: Grok/Zope is creating a cookie for every user, even the anonymous user. serve anonymous users from the NGINX cache. But if there is a cookie, then NGINX does not cache, it passes it through to my servers, and that overloads the ZOPE servers.

調整要求登入的間隔時間 修改 Cookie : adapter vs subscriber

Remove jquery.cookie from plone-logged-in bundle's stub_js_modules 記住上次的確認

cookie issue Set Zope CookieCrumbler Cookie in Python Script

import requests

rssn = requests.session()

res ="http://xxxxxxxx", data=payload)
res2 = rssn.get("http://xxxxxxxx", headers=head)


To disable all automatic CSRF protection, set the environment variable PLONE_CSRF_DISABLED value to true.

Cross Site Request Forgery

By default, the (authentication session) cookie lifetime is the browser session. However, once a hacker has stolen the cookie value, the cookie lifetime does no longer matter. What still matters is how long the authentication session id (the cookie's value) remains valid. This controls how long the hacker can make use of the stolen value.

Plone protects these authentication session ids (against forgery, not against replay) via a digest created by a secret key. In order to keep authentication session ids valid when the key changes, it uses of key ring (from "plone.keyring"). To create the digest, the most recent key is used, for verification all keys in the ring are considered. The key ring is controled by an "IKeyManager" utility. It has methods "clear" (delete all keys) and "rotate" (create new key, push oldest key from the ring, if necessary). Calling "clear", invalidates all authentication session ids; calling "rotate" may invalidate some old authentication session ids.

The external setup, refers to calling "rotate" (or "clear") periodically to limit the lifetime of authentication session ids.

Philip Bauer: Never ever expose your zope-root or login using the zope-admin-Account via http since the zope-admins password is only uuencoded in a cookie


Login and Logout

Plone 至少用到 6個 login form,例如 login-form 與 failsafe_login_form 等。

logout 之後再使用自製的 login form,所以要從 裡確認。

Login Entry Point

Post Login Action

Post Logout Action


統計 Authenticated 和 Anonymous Guest 數量

Allow Anonymous Users to Edit Their Own Contents: redomino.tokenrole

# Code Snippet
sdm = self.context.session_data_manager
# Create Session if it's not created
session = sdm.getSessionData(create=True)

Plone Session

Products.Sessions domain setting

cookie validity timeout setting and refresh interval

removing session crumbler from a plone 2.x


Single Sign On (SSO)

透過 plone.session 預設就具備 single sign on 功能,例如結合 Apache 的 mod_auth_tkt 來管理帳號認證。雖然 plone.session 以 Plone 命名,但在 Plone 以外的場合,例如 Zope 也能適用。

OpenSSO SAML for SSO collective.saml2

Netsight case study

Central Authentication Service (CAS)

使用外部資料庫來登入 mod_auth_tkt

Auto Login in Plone3

Tracking logins and logged in time

JavaScript evercookie

session logout