paste auth-tkt with repoze.who cannot invalidate password?
7 views
Skip to first unread message
Aaron Watters
Aug 18, 2009, 3:10:28 PM8/18/09
to Paste Users
Hi folks. I have a problem with either auth-tkt authentication or
repoze.who
using auth-tkt or both.
Basically once a user has logged in I can't seem to be able to prevent
them
from logging in again using auth-tkt
credentials either by deleting the user from the user list or by
changing
the user's password -- auth-tkt always allows them back in no matter
what.
I hope this is a case of me not understanding how things are supposed
to work.
Below are details:
In summary for currently authenticated users
I can't delete users or change passwords
and get repoze.who to require the user to log in again.
I start the server using htpasswd containing the line
testuser:testpasswd
Then log in as testuser.
Then I stop the server and edit the
htpasswd file deleting the testuser entry.
Then I restart the server and
after reloading the browser page *the server thinks
I'm still logged in as testuser*!!
I think the deleted testuser should not be recognized
as a valid user and I should be required to log in again.
Where am I confused?
This is a little disturbing because it raises the possibility
that a user could spoof being logged in without knowing
a valid password or even a valid user name. Am I wrong?
I'm using the following configuration:
# the passwords are in clear text
def cleartext_check(password, hashed):
return password == hashed
# use the htpasswd file to find user names and passwords
htpasswd = HTPasswdPlugin(htfile, cleartext_check)
# allow HTTP basic authentication.
basicauth = BasicAuthPlugin('repoze.who')
# also allow auth_tkt based authentication
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
# use the repoze.who redirecting form plugin for challenges and
identification
form = RedirectingFormPlugin('login_url', '/login_handler_path',
'/logout_handler_path',
rememberer_name='auth_tkt')
# set up the form classifications
form.classifications = { IIdentifier:['browser'],
IChallenger:['browser'] }
# the repoze.who identifiers
identifiers = [('form', form),('auth_tkt',auth_tkt),
('basicauth',basicauth)]
# the repoze.who authenticators
authenticators = [('htpasswd', htpasswd)]
# the repoze.who challengers
challengers = [('form',form), ('basicauth',basicauth)]
# no metadata providers, please.
mdproviders = []
# use default classifiers and deciders
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
What's going on? Where am I confused? help!?
-- Aaron Watters
repoze.who
using auth-tkt or both.
Basically once a user has logged in I can't seem to be able to prevent
them
from logging in again using auth-tkt
credentials either by deleting the user from the user list or by
changing
the user's password -- auth-tkt always allows them back in no matter
what.
I hope this is a case of me not understanding how things are supposed
to work.
Below are details:
In summary for currently authenticated users
I can't delete users or change passwords
and get repoze.who to require the user to log in again.
I start the server using htpasswd containing the line
testuser:testpasswd
Then log in as testuser.
Then I stop the server and edit the
htpasswd file deleting the testuser entry.
Then I restart the server and
after reloading the browser page *the server thinks
I'm still logged in as testuser*!!
I think the deleted testuser should not be recognized
as a valid user and I should be required to log in again.
Where am I confused?
This is a little disturbing because it raises the possibility
that a user could spoof being logged in without knowing
a valid password or even a valid user name. Am I wrong?
I'm using the following configuration:
# the passwords are in clear text
def cleartext_check(password, hashed):
return password == hashed
# use the htpasswd file to find user names and passwords
htpasswd = HTPasswdPlugin(htfile, cleartext_check)
# allow HTTP basic authentication.
basicauth = BasicAuthPlugin('repoze.who')
# also allow auth_tkt based authentication
auth_tkt = AuthTktCookiePlugin('secret', 'auth_tkt')
# use the repoze.who redirecting form plugin for challenges and
identification
form = RedirectingFormPlugin('login_url', '/login_handler_path',
'/logout_handler_path',
rememberer_name='auth_tkt')
# set up the form classifications
form.classifications = { IIdentifier:['browser'],
IChallenger:['browser'] }
# the repoze.who identifiers
identifiers = [('form', form),('auth_tkt',auth_tkt),
('basicauth',basicauth)]
# the repoze.who authenticators
authenticators = [('htpasswd', htpasswd)]
# the repoze.who challengers
challengers = [('form',form), ('basicauth',basicauth)]
# no metadata providers, please.
mdproviders = []
# use default classifiers and deciders
from repoze.who.classifiers import default_request_classifier
from repoze.who.classifiers import default_challenge_decider
What's going on? Where am I confused? help!?
-- Aaron Watters
Reply all
Reply to author
Forward
0 new messages