Wednesday, December 26, 2007


I moved my work site's Zope app server to a faster box earlier this week. I noticed it had some trouble authenticating users after that — a user would login, everything would look good, but then they'd click on a link and the server would act as if they weren't logged in. I used the Live HTTP Headers extension, and set Firefox to "ask before saving" cookies, so I knew the server setting cookies properly. Strange. The authentication cookie was named __ac, and its value was base64'd. I decided to decode its value, and much to my dismay, saw that it was in the format username:password in plain-text. Argh! I read the code for the authentication product (exUserFolder), and found a "secure" cookie mechanism. I remembered that I hadn't tried it out when I set up the software because I thought it required SSL or something. It doesn't. So, I simply changed the knob in Zope, and now my server was happily caching authentication data on the server and sending unique opaque cookies to the browser. The cookies even changed on each request — can't get more secure than that! Today, I ran into another problem with the new setup. Apparently exUserFolder doesn't cache the authentication foo in the database. It caches it in memory. This means that every time I restart Zope, people are logged out. Argh!

No comments: