core: only try to set auto logout session when using cookie crumbler

cookie crumbler uses username:password base64 encoded and this relies on extracting the username from the cookie to set the session, but other authentication methods do not embed the username, but still share the same scripts to set the authentication cookie (so that we have one central point setting cookie with all the necessary attributes for security). The problem is that it's incorrect to try to decode an username with cookies from other authentication methods, simply because they do not contain the username. On python2 this was not causing visible error because everything is str, but the decoding error on python3 revealed this.

core: only try to set auto logout session when using cookie crumbler
cookie crumbler uses username:password base64 encoded and this relies on extracting the username from the cookie to set the session, but other authentication methods do not embed the username, but still share the same scripts to set the authentication cookie (so that we have one central point setting cookie with all the necessary attributes for security). The problem is that it's incorrect to try to decode an username with cookies from other authentication methods, simply because they do not contain the username. On python2 this was not causing visible error because everything is str, but the decoding error on python3 revealed this.
5e0124e4 · Jérome Perrin · aaa5f974 · 5e0124e4 · 5e0124e4
Commit 5e0124e4 authored Feb 10, 2024 by Jérome Perrin
2 changed files
--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/setAuthCookie.py
@@ -10,13 +10,15 @@ else:
  now = DateTime()
  kw['expires'] = (now + expire_interval).toZone('GMT').rfc822()
  ac_renew = (now + expire_interval / 2).millis()
-portal.portal_sessions[
-  portal.Base_getAutoLogoutSessionKey(
-    username=portal.Base_getUsernameFromAuthenticationCookie(
-      cookie_value,
+
+cookie_authentication = getattr(portal, 'cookie_authentication', None)
+if cookie_authentication is not None \
+    and cookie_authentication.getProperty('auth_cookie') == cookie_name:
+  portal.portal_sessions[
+    portal.Base_getAutoLogoutSessionKey(
+      username=portal.Base_getUsernameFromAuthenticationCookie(cookie_value)
    )
-  )
-]['ac_renew'] = ac_renew
+  ]['ac_renew'] = ac_renew

 REQUEST = portal.REQUEST
 parse_dict = urlparse(REQUEST.other.get('ACTUAL_URL'))

--- a/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/twiddleAuthCookie.py
+++ b/product/ERP5/bootstrap/erp5_core/SkinTemplateItem/portal_skins/erp5_auto_logout/twiddleAuthCookie.py
 portal = context.getPortalObject()
-if DateTime().millis() >= portal.portal_sessions[
-      portal.Base_getAutoLogoutSessionKey(
-        username=portal.Base_getUsernameFromAuthenticationCookie(
-          cookie_value,
+
+cookie_authentication = getattr(portal, 'cookie_authentication', None)
+if cookie_authentication is not None \
+    and cookie_authentication.getProperty('auth_cookie') == cookie_name \
+    and DateTime().millis() >= portal.portal_sessions[
+        portal.Base_getAutoLogoutSessionKey(
+          username=portal.Base_getUsernameFromAuthenticationCookie(
+            cookie_value
+          )
        )
-      )
-    ].get('ac_renew', 0):
+      ].get('ac_renew', 0):
  portal.setAuthCookie(resp, cookie_name, cookie_value)