Commit a3a211f7 authored by Jérome Perrin's avatar Jérome Perrin

core: only try to set auto logout session when using cookie crumbler

cookie crumbler uses username:password base64 encoded and this relies
on extracting the username from the cookie to set the session, but
other authentication methods do not embed the username, but still share
the same scripts to set the authentication cookie (so that we have one
central point setting cookie with all the necessary attributes for
security).
The problem is that it's incorrect to try to decode an username with
cookies from other authentication methods, simply because they do not
contain the username. On python2 this was not causing visible error
because everything is str, but the decoding error on python3 revealed
this.
parent 4ccf680e
...@@ -10,13 +10,15 @@ else: ...@@ -10,13 +10,15 @@ else:
now = DateTime() now = DateTime()
kw['expires'] = (now + expire_interval).toZone('GMT').rfc822() kw['expires'] = (now + expire_interval).toZone('GMT').rfc822()
ac_renew = (now + expire_interval / 2).millis() ac_renew = (now + expire_interval / 2).millis()
portal.portal_sessions[
portal.Base_getAutoLogoutSessionKey( cookie_authentication = getattr(portal, 'cookie_authentication', None)
username=portal.Base_getUsernameFromAuthenticationCookie( if cookie_authentication is not None \
cookie_value, and cookie_authentication.getProperty('auth_cookie') == cookie_name:
portal.portal_sessions[
portal.Base_getAutoLogoutSessionKey(
username=portal.Base_getUsernameFromAuthenticationCookie(cookie_value)
) )
) ]['ac_renew'] = ac_renew
]['ac_renew'] = ac_renew
REQUEST = portal.REQUEST REQUEST = portal.REQUEST
parse_dict = urlparse(REQUEST.other.get('ACTUAL_URL')) parse_dict = urlparse(REQUEST.other.get('ACTUAL_URL'))
......
portal = context.getPortalObject() portal = context.getPortalObject()
if DateTime().millis() >= portal.portal_sessions[
portal.Base_getAutoLogoutSessionKey( cookie_authentication = getattr(portal, 'cookie_authentication', None)
username=portal.Base_getUsernameFromAuthenticationCookie( if cookie_authentication is not None \
cookie_value, and cookie_authentication.getProperty('auth_cookie') == cookie_name \
and DateTime().millis() >= portal.portal_sessions[
portal.Base_getAutoLogoutSessionKey(
username=portal.Base_getUsernameFromAuthenticationCookie(
cookie_value
)
) )
) ].get('ac_renew', 0):
].get('ac_renew', 0):
portal.setAuthCookie(resp, cookie_name, cookie_value) portal.setAuthCookie(resp, cookie_name, cookie_value)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment