You are here: Home Plone products plone.session

plone.session (3.3)

by Olha Pelishok last modified 2011-01-03
Released on 2010-12-30 by Plone Foundation under LGPL - GNU Lesser General Public License available for All platforms.
Software development stage: stable
Session based authentication for Zope

plone.session implements secure session management for Zope sites.

In its default configuration plone.session uses an HMAC SHA-256 secure cryptographic hash to authenticate sessions. The hash is generated using the userid and a secret stored in the PAS plugin. Otherwise, the cookie format is identical to that of Apache's mod_auth_tkt. For single sign on with the original mod_auth_tkt or another compatible implementation, set the mod_auth_tkt property to true. This invokes an MD5 based double hashing scheme. You will need to use the same secret across all servers.

This has several advantages over other session management systems:

  • passwords are not sent to the server in a cookie on every request, as is done by the Cookie Auth Helper
  • it does not require any ZODB write for sessions, as is needed by the Session Crumbler. This allows it to scale very well.
  • it allows you to invalidate all existing authentication cookies for users by updating the secret.
  • The cookie is only valid for the period specified by the timeout property.

There are some downsides to this approach:

  • if a user's password is changed or disabled session identifiers will continue to work, making it hard to lock out individual users.
  • a user must have cookies enabled.

A session cookie is used to track sessions; that means that as long as a user keeps his browser open (and does not explicitly log out) the session remains open until the timout limit is reached. This can be changed by setting the timeout property of the plugin to the number of seconds the cookie should remain valid after the moment of login. implements the core mod_auth_tkt functionality. It is self-contained and may be of useful to other frameworks.

Using plone.session

plone.session only takes care of handling sessions for already authenticated users. This means it can not be used stand-alone: you need to have another PAS plugin, such as the standard Cookie Auth Helper to take care of authentication.

After a user has been authenticated plone.session can take over via the PAS credentials update mechanism.

Document Actions
Powered by Plone