Overview
========
*plone.session* implements secure session management for Zope sites.
In its default configuration *plone.session* uses an HMAC_ SHA-256_ secure cryptographic hash to authenticate sessions.
The hash is generated using the userid and a secret stored in the PAS plugin.
Otherwise, the cookie format is identical to that of Apache's mod_auth_tkt_.
For single sign on with the original mod_auth_tkt or another compatible implementation, set the ``mod_auth_tkt`` property to true.
This invokes an MD5_ based double hashing scheme.
You will need to use the same secret across all servers.
This has several advantages over other session management systems:
* passwords are not sent to the server in a cookie on every request, as is done by the *Cookie Auth Helper*
* it does not require any ZODB write for sessions, as is needed by the *Session Crumbler*.
This allows it to scale very well.
* it allows you to invalidate all existing authentication cookies for users by updating the secret.
* The cookie is only valid for the period specified by the ``timeout`` property.
There are some downsides to this approach:
* if a user's password is changed or disabled session identifiers will continue to work, making it hard to lock out individual users.
* a user must have cookies enabled.
A session cookie is used to track sessions;
that means that as long as a user keeps his browser open (and does not explicitly log out) the session remains open until the timeout limit is reached.
This can be changed by setting the ``timeout`` property of the plugin to the number of seconds the cookie should remain valid *after the moment of login*.
*plone.session* does **not** excuse you from setting up TLS (aka HTTPS) for your site.
``tktauth.py`` implements the core mod_auth_tkt functionality.
It is self-contained and may be of useful to other frameworks.
.. _mod_auth_tkt: http://www.openfusion.com.au/labs/mod_auth_tkt/
.. _MD5: http://en.wikipedia.org/wiki/MD5
.. _HMAC: http://en.wikipedia.org/wiki/HMAC
.. _SHA-256: http://en.wikipedia.org/wiki/SHA-256
Using plone.session
===================
*plone.session* only takes care of handling sessions for already authenticated users.
This means it can not be used stand-alone: you need to have another PAS plugin, such as the standard *Cookie Auth Helper* to take care of authentication.
After a user has been authenticated *plone.session* can take over via the PAS *credentials update* mechanism.
Configuration options
=====================
To enable logins between sites or other mod_auth_tkt systems, set the shared secret through the Zope Management Interface.
You can manage the ``plone.keyring`` secrets through the same page.
The following properties may be set through the ``Properties`` tab:
Cookie validity timeout (in seconds)
After this, the session is invalid and the user must login again.
Set to 0 for the cookie to remain valid indefinitely.
Note that when the user folder has caching enabled, cookie validity may not be checked on every request.
Refresh interval (in seconds, -1 to disable refresh)
This controls the refresh CSS max-age (see below.)
Use mod_auth_tkt compatible hashing algorithm
Compatibility with other implementations, but at the cost of using a weaker hashing algorithm.
Cookie name
Which cookie to use. This must also be set on the ``credentials_cookie_auth`` plugin.
Cookie lifetime (in days)
This makes the cookie persistent across opening and closing the browser.
Cookie domain (blank for default)
A cookie may be shared across www1.example.com and www2.example.com by setting the cookie domain to ``.example.com``.
Cookie path
What path the cookie is set valid (defaults to ``/``).
Ticket refresh
==============
To enable short validity timeouts you must ensure that the cookie is regularly updated.
One option is to put mod_auth_tkt in front of your site and set a ``TktAuthTimeoutRefresh``.
As of *plone.session 3.1*, an independent javascript solution is also supplied, installable as an optional add-on in Plone.
Theory of operation
-------------------
The optional add-on installs a css resource which updates the cookie when loaded.
This allows the cookie to be updated every time a page is loaded.
While this CSS cannot cached by proxy servers, it may be cached for a time on the client.
By controlling the ``max-age`` of the CSS resource, it is possible to control how often the browser actually fetches the CSS and hence how often the cookie is updated.
With short timeouts (15 or 30 minutes say), a user may not have loaded a new page before their cookie becomes invalid.
A javascript is included which polls the cookie refresh CSS periodically while the user is active on the page (key presses or mouse moves.)
If the refresh CSS max-age has passed, then the browser will refetch the CSS and the cookie will be updated.
The poll interval may be configured on the refresh CSS query string ``minutes`` parameter, with the default being 5 minutes.
Ticket removal
==============
When login sessions are shared across domains, it can be helpful to log users out of all domains when they log out of a Plone site.
Load the pseudo CSS ``http://example.com/portal_path/acl_users/session/remove?type=css`` on the ``/logged_out`` page for ticket removal.
Single Sign On with IIS
=======================
For intranet setups with users on a Windows domain, it's possible to configure IIS with `Integrated Windows Authentication` to act as an external login provider, even for sites running on Linux/Unix servers.
Requirements
------------
- You need a Microsoft Windows Server running IIS.
Preferably Windows Server 2003 or a later version.
- The server must be a member of the Windows domain you want to authenticate users for.
It does not need to be an Active Directory server itself.
- You site should use pas.plugins.ldap_ to use the same Active Directory as a user source.
.. _pas.plugins.ldap: http://pypi.python.org/pypi/pas.plugins.ldap
Python
------
- The Windows server needs to have `Python 2.7 <http://www.python.org/download/>`_ and the `Python Win 32 extensions build >=216 <http://sourceforge.net/projects/pywin32/files/>`_ installed.
- Place a copy of ``tktauth.py`` (from plone/session of this package) into::
C:\Python26\Lib\site-packages\
- Follow these `instructions on how to configure Python for IIS <http://support.microsoft.com/kb/276494>`_.
In bullet point 2.d. use::
Executable: "C:\Python27\python.exe -u %s %s"
instead.
This will ensure files are opened in universal newline mode.
You can choose to only configure these settings for the specific web site and not the entire IIS.
Adjust settings accordingly and create the web site first as detailed in the next chapter.
IIS
---
- Find and open the IIS management console.
- Create a new `Web Site`, by going into the ``Web Sites`` folder and using the right-click menu.
You should get a wizard asking you for various questions::
Description: SSO login service
TCP port: 80
Path: c:\Inetpub\sso
Allow anonymous access to this Web site: <not checked>
Permissions: Read, Run scripts, Execute
- If you are running IIS 6, you need to go to the ``Web Service Extensions`` folder and change ``Active Server Pages`` to be ``Allowed``.
Otherwise you will get rather unhelpful ``404 Not Found`` errors for the asp scripts.
IIS script
----------
- Copy the ``login.asp`` and ``test.asp`` scripts (from the iis-login folder of this package) into root path of the web site (for example C:\Inetpub\sso).
- You need to modify the ``SECRET`` constant found in the ``login.asp`` to the same shared secret set on *plone.session's* ``Manage secrets`` tab.
- Modify the ``ALLOWED_SITES`` constant in ``login.asp`` to include the URLs of your Plone sites.
- Modify the ``DEFAULT_NEXT`` constant in ``login.asp`` to refer the the URL of ``logged_in`` on one of your Plone sites.
- Access ``http://LOGONSERVER/test.asp`` to confirm access permissions are correctly configured.
Configuring browsers to allow automatic logon
---------------------------------------------
Browsers must be configured to *trust* the logon server for user authentication data to be sent automatically.
By default, Internet Explorer sends logon information to servers within the *Intranet Zone*, so long as the site is accessed using it's intranet name (``http://LOGONSERVER/login.asp``).
If the site is accessed using a fully qualified domain name or IP address, it must be explicitly added to the list of `trusted sites <http://support.microsoft.com/kb/174360>`_.
Firefox configuration information may be found in this `article <http://support.mozilla.com/en-US/kb/Firefox+asks+for+user+name+and+password+on+internal+sites>`_.
Configuring your Plone site
---------------------------
Ensure that you have setup authentication to Active Directory and that you can login with the your current Windows user name.
Set the following configuration options through the Zope interface:
- In ``/Plone/acl_users/session``. On the ``Manage secrets`` tab set a shared secret.
- In ``/Plone/portal_properties/site_properties`` set ``external_login_url`` to ``http://LOGONSERVER/login.asp``.
- In ``/Plone/portal_properties/site_properties`` set ``external_login_iframe`` to true.
Note for developers testing this under Windows XP
-------------------------------------------------
- IIS may be installed as an additional component using the Windows XP installation CD.
- The IIS management console can be located at::
Start -> Control Panel -> Administrative Tools -> Internet Information Services
- The pywin32 installer setup IIS sufficiently for me not to need to follow the *instructions on how to configure Python for IIS*.
- I could not find how to setup a separate site, so placed the asp scripts directly in ``C:\Inetpub\wwwroot`` - the *Default Web Site*
- From the IIS management console, select "Default Web Site".
You should see ``login.asp`` and ``test.asp`` in the right hand pane.
With each file, right-click Properties.
On the `File Security` tab click Edit... on ``Anonymous access and authentication control``.
Uncheck ``Anonymous access`` and check ``Basic authentication`` (to be used as a fallback) and ``Integrated Windows authentication``.
- Access ``http://localhost/test.asp`` to confirm IIS authentication works as expected.
- Set the secret in ``login.asp`` and ``Manage secrets`` of *plone.session*.
- Set SITE_URL in ``login.asp`` to ``http://localhost:8080/Plone`` (or whatever the address of your site is).
- Add a Plone user with the same name as your Windows login name (e.g. *Administrator*), this avoids setting up Active Directory.
- Follow the section above to configure your Plone site, but set ``Login Form`` to ``http://localhost/login.asp``.
Changelog
=========
.. You should *NOT* be adding new change log entries to this file.
You should create a file in the news directory instead.
For helpful instructions, please see:
https://github.com/plone/plone.releaser/blob/master/ADD-A-NEWS-ITEM.rst
.. towncrier release notes start
4.0.4 (2023-09-08)
------------------
Bug fixes:
- Do not set an auth cookie after password reset, unless the user is authenticated.
Otherwise anonymous users will be logged in immediately, even when autologin after password reset is false.
Fixes `issue 3835 <https://github.com/plone/Products.CMFPlone/issues/3835>`_.
[maurits] (#3835)
Internal:
- Update configuration files.
[plone devs] (7723aeaf)
4.0.3 (2023-03-21)
------------------
Bug fixes:
- Remove circular dependency on Products.CMFPlone. Use moved imports from plone.base instead.
[jensens] (#38)
Internal:
- Update configuration files.
[plone devs] (a533099d)
4.0.2 (2023-02-07)
------------------
Bug fixes:
- Declare all dependencies.
[gforcada] (#1)
4.0.1 (2023-01-30)
------------------
Internal:
- Update code to current Plone meta standards.
[gforcada, maurits] (#1)
4.0.0 (2022-12-02)
------------------
Bug fixes:
- Final release for Plone 6.0.0 (#600)
4.0.0b2 (2022-08-31)
--------------------
New features:
- Creating per-user keyrings in order to have session invalidation on log-out (server-side logout). [david-batranu] (#26)
- Cookie attribute SameSite is set to "Lax". (#29)
4.0.0b1 (2022-07-22)
--------------------
Bug fixes:
- Update the plone-session bundle to depend on the plone bundle instead of the jquery bundle, which no longer exists.
[davisagli] (#27)
4.0.0a1 (2022-04-08)
--------------------
Breaking changes:
- Register single resource bundle for Plone 6 for our optional refresh support.
An upgrade step for this is in plone.app.upgrade, otherwise we leave partial bundles behind.
Removed our own upgrade step and profile, as they are not needed when migrating from Plone 5.2.
[maurits] (#24)
3.7.5 (2020-06-24)
------------------
Bug fixes:
- Fix hard dependency indirection with Products.CMFPlone (plone.session must not import from it).
[jensens] (#20)
- Only setup a session when the current user is the requested user.
[maurits] (#57)
3.7.4 (2020-04-22)
------------------
Bug fixes:
- Minor packaging updates. (#1)
3.7.3 (2019-04-29)
------------------
Bug fixes:
- Fix nameclash resulting in ImportWarning by renaming ``profiles.py`` to ``hiddenprofiles.py``. [jensens] (#16)
3.7.2 (2019-02-13)
------------------
Bug fixes:
- Remove last traces of ZopeTestCase. [gforcada] (#14)
3.7.1 (2018-09-28)
------------------
Bug fixes:
- Python3 compatibility [ale-rt, pbauer]
3.7.0 (2018-04-03)
------------------
New features:
- Use Resource Registry for JS/CSS registration
[jensens]
Bug fixes:
- Fixes #11: Pseudo CSS-file is not loaded anymore in merged legacy bundle.
Now optional JS based auto-refresh support is working again.
[jensens]
- Modernize README.
[jensens]
3.6.2 (2018-02-02)
------------------
Bug fixes:
- Hardening default timeout of session.
This solves Plone security internal issue #126 (severity low, non-critical).
Session timeout is now the same as in mod_auth_tkt: 2h.
This follows the recommendation of the German BSI (federal office for security in the information technology).
See https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Internetsicherheit/isi_web_server_checkliste_Plone.pdf
For existing sites this can be adjusted at https://HOST/acl_users/session/manage_propertiesForm
The Plone Security Team follows the BSI and recommends administrators to change the setting in their existing Plone sites.
[jensens]
- Add Python 2 / 3 compatibility
[vincero]
3.6.1 (2016-12-02)
------------------
Bug fixes:
- Hide uninstall profile in install listings.
[jensens]
3.6.0 (2016-05-26)
------------------
New:
- Added uninstall profile. [maurits]
3.5.6 (2015-07-27)
------------------
- Cleanup: Pep8, plone style conventions, better readbility.
[jensens]
3.5.5 (2015-04-29)
------------------
- Default encoding for createTicket to be compatible with unicode
user_id [puittenbroek]
3.5.4 (2015-03-21)
------------------
- Move tests from PloneTestCase to plone.app.testing.
[tomgross]
3.5.3 (2013-03-05)
------------------
- Revert accidental change to default encoding for validateTicket.
[davisagli]
3.5.2 (2012-12-09)
------------------
- Use constant time comparison when validating tickets. This is part of the fix
for https://plone.org/products/plone/security/advisories/20121106/23
[davisagli]
3.5.1 - 2012-11-02
------------------
- Handle encoded strings for userids.
[elro]
- Add MANIFEST.in.
[WouterVH]
- Fix for Python 2.4 under 64bit Mac OS generating incorrect mod_auth_tkt
digests
[MatthewWilkes]
3.5 - 2011-03-19
----------------
- Disable secure cookie in development mode, to ease local testing.
[hannosch]
3.4 - 2011-03-02
----------------
- Added metadata.xml to the default profile.
[vincentfretin]
3.3 - 2010-12-30
----------------
- Update login.asp to match Plone 4.1 SSO login form functionality.
[elro]
- Fix remove.
[elro]
3.2 - 2010-12-14
----------------
- Remove ``external_login`` method, the normal ``logged_in`` script can be
used instead.
[elro]
- Fix refresh.
[elro]
3.1 - 2010-11-11
----------------
- Remove ``SessionPlugin.validate(ticket)`` method, it was not required.
[elro]
3.1b1 - 2010-10-18
------------------
- Session refresh.
[elro]
- ``SessionPlugin.validate(ticket)`` method.
[elro]
- Close <input> tags properly (chameleon compatibility)
[swampmonkey]
3.0 - 2010-07-18
----------------
- Update package metadata.
[hannosch]
3.0b5 - 2010-06-13
------------------
- Make sure to load the right meta ZCML.
[hannosch]
- Avoid deprecation warnings under Zope 2.13.
[hannosch]
- Removed dependency on GPL licensed Products.PloneTestCase.
[hannosch]
3.0b4 - 2010-05-23
------------------
- Make the ``secure`` option of cookies configurable. This allows to restrict
cookies to HTTPS connections alone. This closes
http://dev.plone.org/plone/ticket/7897.
[pfurman, hannosch]
- Use the standard libraries doctest module, instead of the deprecated one
from zope.testing.
[hannosch]
- Marked the session cookie as ``HTTPOnly``.
[hannosch]
- PEP8 cleanup.
[hannosch]
- Relicense as BSD following PF Board decision.
http://lists.plone.org/pipermail/membership/2010-April/001123.html
[elro]
3.0b3 - 2010-04-09
------------------
- Example IIS login form and documentation. This builds on work by Hanno and I
at Jarn for Centrepoint.
[elro]
- Support authentication by an external form, perhaps one running on an IIS
server with Integrated Windows Authentication.
[elro]
3.0b2 - 2010-03-09
------------------
- Prefix setupSession with underscore, the method should be unavailable TTW.
[elro]
- Catch a ComponentLookupError in authenticateCredentials.
[elro]
3.0b1 - 2010-03-05
------------------
- Add back the hash management UI with added functionality to set shared
secret.
[elro]
- Add properties for cookie domain and ticket validity timeout.
[elro]
- Use mod_auth_tkt format cookies to give us a session validity timeout.
By default we use a more secure HMAC SHA-256 hashing scheme. An MD5 based
scheme compatible with other mod_auth_tkt implementations is optional.
[elro]
- Remove the source component indirection.
[elro]
3.0a2 - 2009-11-13
------------------
- Remove hash management UI which had been accidentally re-merged.
[davisagli]
3.0a1 - 2009-04-04
------------------
- Avoid deprecation warning for the sha module in Python 2.6.
[hannosch]
- Declare test dependencies in an extra.
[hannosch]
- Specify package dependencies.
[hannosch]
- Fixed the remaining tests to work with the new keyring backend.
[hannosch]
- Fixed a component lookup call in the HashSession source.
[davisagli, hannosch]
- Update default (hash) session source to use plone.keyring to manage the secrets.
[wichert]
2.1 - 2009-02-04
----------------
- Protect the setupSession call with the ManageUsers permission.
Fixes possible privilege escalation.
[maurits]
- Make the cookie lifetime configurable. Patch by Rok Garbas.
Fixes http://dev.plone.org/plone/ticket/7248
[wichert, garbas]
2.0 - 2008-07-08
----------------
- Fix CSRF protection for managing server secrets via the Plone session
plugin for PAS. Fixes http://dev.plone.org/plone/ticket/8176
[witsch]
1.2 - 2007-02-15
----------------
- Use the binascii base64 methods to encode/decode the session cookie. This
prevents newlines being inserted in long cookies.
[wichert]
1.1 - 2007-09-11
----------------
- Use the userid instead of the login name in session identifiers. This has the
side-effect of working around a bug in PAS which caused us to mix up users when
the login name used was an inexact match for another login name.
[wichert]
1.0 - 2007-08-15
----------------
- First stable release
[wichert]
Raw data
{
"_id": null,
"home_page": "https://github.com/plone/plone.session/",
"name": "plone.session",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "PAS session authentication Zope auth_tkt",
"author": "Plone Foundation",
"author_email": "plone-developers@lists.sourceforge.net",
"download_url": "https://files.pythonhosted.org/packages/f8/2c/647ded47fac3e4cb714c34eef884cb46ea1ff1ae9f69a3d21e691c67c188/plone.session-4.0.4.tar.gz",
"platform": null,
"description": "Overview\n========\n\n*plone.session* implements secure session management for Zope sites.\n\nIn its default configuration *plone.session* uses an HMAC_ SHA-256_ secure cryptographic hash to authenticate sessions.\nThe hash is generated using the userid and a secret stored in the PAS plugin.\nOtherwise, the cookie format is identical to that of Apache's mod_auth_tkt_.\nFor single sign on with the original mod_auth_tkt or another compatible implementation, set the ``mod_auth_tkt`` property to true.\nThis invokes an MD5_ based double hashing scheme.\nYou will need to use the same secret across all servers.\n\nThis has several advantages over other session management systems:\n\n* passwords are not sent to the server in a cookie on every request, as is done by the *Cookie Auth Helper*\n* it does not require any ZODB write for sessions, as is needed by the *Session Crumbler*.\n This allows it to scale very well.\n* it allows you to invalidate all existing authentication cookies for users by updating the secret.\n* The cookie is only valid for the period specified by the ``timeout`` property.\n\nThere are some downsides to this approach:\n\n* if a user's password is changed or disabled session identifiers will continue to work, making it hard to lock out individual users.\n* a user must have cookies enabled.\n\nA session cookie is used to track sessions;\nthat means that as long as a user keeps his browser open (and does not explicitly log out) the session remains open until the timeout limit is reached.\nThis can be changed by setting the ``timeout`` property of the plugin to the number of seconds the cookie should remain valid *after the moment of login*.\n\n*plone.session* does **not** excuse you from setting up TLS (aka HTTPS) for your site.\n\n``tktauth.py`` implements the core mod_auth_tkt functionality.\nIt is self-contained and may be of useful to other frameworks.\n\n.. _mod_auth_tkt: http://www.openfusion.com.au/labs/mod_auth_tkt/\n.. _MD5: http://en.wikipedia.org/wiki/MD5\n.. _HMAC: http://en.wikipedia.org/wiki/HMAC\n.. _SHA-256: http://en.wikipedia.org/wiki/SHA-256\n\n\nUsing plone.session\n===================\n\n*plone.session* only takes care of handling sessions for already authenticated users.\nThis means it can not be used stand-alone: you need to have another PAS plugin, such as the standard *Cookie Auth Helper* to take care of authentication.\n\nAfter a user has been authenticated *plone.session* can take over via the PAS *credentials update* mechanism.\n\n\nConfiguration options\n=====================\n\nTo enable logins between sites or other mod_auth_tkt systems, set the shared secret through the Zope Management Interface.\nYou can manage the ``plone.keyring`` secrets through the same page.\n\nThe following properties may be set through the ``Properties`` tab:\n\nCookie validity timeout (in seconds)\n After this, the session is invalid and the user must login again.\n Set to 0 for the cookie to remain valid indefinitely.\n Note that when the user folder has caching enabled, cookie validity may not be checked on every request.\n\nRefresh interval (in seconds, -1 to disable refresh)\n This controls the refresh CSS max-age (see below.)\n\nUse mod_auth_tkt compatible hashing algorithm\n Compatibility with other implementations, but at the cost of using a weaker hashing algorithm.\n\nCookie name\n Which cookie to use. This must also be set on the ``credentials_cookie_auth`` plugin.\n\nCookie lifetime (in days)\n This makes the cookie persistent across opening and closing the browser.\n\nCookie domain (blank for default)\n A cookie may be shared across www1.example.com and www2.example.com by setting the cookie domain to ``.example.com``.\n\nCookie path\n What path the cookie is set valid (defaults to ``/``).\n\n\nTicket refresh\n==============\n\nTo enable short validity timeouts you must ensure that the cookie is regularly updated.\nOne option is to put mod_auth_tkt in front of your site and set a ``TktAuthTimeoutRefresh``.\nAs of *plone.session 3.1*, an independent javascript solution is also supplied, installable as an optional add-on in Plone.\n\nTheory of operation\n-------------------\n\nThe optional add-on installs a css resource which updates the cookie when loaded.\nThis allows the cookie to be updated every time a page is loaded.\nWhile this CSS cannot cached by proxy servers, it may be cached for a time on the client.\nBy controlling the ``max-age`` of the CSS resource, it is possible to control how often the browser actually fetches the CSS and hence how often the cookie is updated.\n\nWith short timeouts (15 or 30 minutes say), a user may not have loaded a new page before their cookie becomes invalid.\nA javascript is included which polls the cookie refresh CSS periodically while the user is active on the page (key presses or mouse moves.)\nIf the refresh CSS max-age has passed, then the browser will refetch the CSS and the cookie will be updated.\nThe poll interval may be configured on the refresh CSS query string ``minutes`` parameter, with the default being 5 minutes.\n\n\nTicket removal\n==============\n\nWhen login sessions are shared across domains, it can be helpful to log users out of all domains when they log out of a Plone site.\nLoad the pseudo CSS ``http://example.com/portal_path/acl_users/session/remove?type=css`` on the ``/logged_out`` page for ticket removal.\n\n\nSingle Sign On with IIS\n=======================\n\nFor intranet setups with users on a Windows domain, it's possible to configure IIS with `Integrated Windows Authentication` to act as an external login provider, even for sites running on Linux/Unix servers.\n\n\nRequirements\n------------\n\n- You need a Microsoft Windows Server running IIS.\n Preferably Windows Server 2003 or a later version.\n\n- The server must be a member of the Windows domain you want to authenticate users for.\n It does not need to be an Active Directory server itself.\n\n- You site should use pas.plugins.ldap_ to use the same Active Directory as a user source.\n\n.. _pas.plugins.ldap: http://pypi.python.org/pypi/pas.plugins.ldap\n\n\nPython\n------\n\n- The Windows server needs to have `Python 2.7 <http://www.python.org/download/>`_ and the `Python Win 32 extensions build >=216 <http://sourceforge.net/projects/pywin32/files/>`_ installed.\n\n- Place a copy of ``tktauth.py`` (from plone/session of this package) into::\n\n C:\\Python26\\Lib\\site-packages\\\n\n- Follow these `instructions on how to configure Python for IIS <http://support.microsoft.com/kb/276494>`_.\n In bullet point 2.d. use::\n\n Executable: \"C:\\Python27\\python.exe -u %s %s\"\n\n instead.\n This will ensure files are opened in universal newline mode.\n You can choose to only configure these settings for the specific web site and not the entire IIS.\n Adjust settings accordingly and create the web site first as detailed in the next chapter.\n\n\nIIS\n---\n\n- Find and open the IIS management console.\n\n- Create a new `Web Site`, by going into the ``Web Sites`` folder and using the right-click menu.\n You should get a wizard asking you for various questions::\n\n Description: SSO login service\n\n TCP port: 80\n\n Path: c:\\Inetpub\\sso\n\n Allow anonymous access to this Web site: <not checked>\n\n Permissions: Read, Run scripts, Execute\n\n- If you are running IIS 6, you need to go to the ``Web Service Extensions`` folder and change ``Active Server Pages`` to be ``Allowed``.\n Otherwise you will get rather unhelpful ``404 Not Found`` errors for the asp scripts.\n\n\nIIS script\n----------\n\n- Copy the ``login.asp`` and ``test.asp`` scripts (from the iis-login folder of this package) into root path of the web site (for example C:\\Inetpub\\sso).\n\n- You need to modify the ``SECRET`` constant found in the ``login.asp`` to the same shared secret set on *plone.session's* ``Manage secrets`` tab.\n\n- Modify the ``ALLOWED_SITES`` constant in ``login.asp`` to include the URLs of your Plone sites.\n\n- Modify the ``DEFAULT_NEXT`` constant in ``login.asp`` to refer the the URL of ``logged_in`` on one of your Plone sites.\n\n- Access ``http://LOGONSERVER/test.asp`` to confirm access permissions are correctly configured.\n\n\nConfiguring browsers to allow automatic logon\n---------------------------------------------\n\nBrowsers must be configured to *trust* the logon server for user authentication data to be sent automatically.\n\nBy default, Internet Explorer sends logon information to servers within the *Intranet Zone*, so long as the site is accessed using it's intranet name (``http://LOGONSERVER/login.asp``).\nIf the site is accessed using a fully qualified domain name or IP address, it must be explicitly added to the list of `trusted sites <http://support.microsoft.com/kb/174360>`_.\n\nFirefox configuration information may be found in this `article <http://support.mozilla.com/en-US/kb/Firefox+asks+for+user+name+and+password+on+internal+sites>`_.\n\n\nConfiguring your Plone site\n---------------------------\n\nEnsure that you have setup authentication to Active Directory and that you can login with the your current Windows user name.\n\nSet the following configuration options through the Zope interface:\n\n- In ``/Plone/acl_users/session``. On the ``Manage secrets`` tab set a shared secret.\n\n- In ``/Plone/portal_properties/site_properties`` set ``external_login_url`` to ``http://LOGONSERVER/login.asp``.\n\n- In ``/Plone/portal_properties/site_properties`` set ``external_login_iframe`` to true.\n\nNote for developers testing this under Windows XP\n-------------------------------------------------\n\n- IIS may be installed as an additional component using the Windows XP installation CD.\n\n- The IIS management console can be located at::\n\n Start -> Control Panel -> Administrative Tools -> Internet Information Services\n\n- The pywin32 installer setup IIS sufficiently for me not to need to follow the *instructions on how to configure Python for IIS*.\n\n- I could not find how to setup a separate site, so placed the asp scripts directly in ``C:\\Inetpub\\wwwroot`` - the *Default Web Site*\n\n- From the IIS management console, select \"Default Web Site\".\n You should see ``login.asp`` and ``test.asp`` in the right hand pane.\n With each file, right-click Properties.\n On the `File Security` tab click Edit... on ``Anonymous access and authentication control``.\n Uncheck ``Anonymous access`` and check ``Basic authentication`` (to be used as a fallback) and ``Integrated Windows authentication``.\n\n- Access ``http://localhost/test.asp`` to confirm IIS authentication works as expected.\n\n- Set the secret in ``login.asp`` and ``Manage secrets`` of *plone.session*.\n\n- Set SITE_URL in ``login.asp`` to ``http://localhost:8080/Plone`` (or whatever the address of your site is).\n\n- Add a Plone user with the same name as your Windows login name (e.g. *Administrator*), this avoids setting up Active Directory.\n\n- Follow the section above to configure your Plone site, but set ``Login Form`` to ``http://localhost/login.asp``.\n\nChangelog\n=========\n\n.. You should *NOT* be adding new change log entries to this file.\n You should create a file in the news directory instead.\n For helpful instructions, please see:\n https://github.com/plone/plone.releaser/blob/master/ADD-A-NEWS-ITEM.rst\n\n.. towncrier release notes start\n\n4.0.4 (2023-09-08)\n------------------\n\nBug fixes:\n\n\n- Do not set an auth cookie after password reset, unless the user is authenticated.\n Otherwise anonymous users will be logged in immediately, even when autologin after password reset is false.\n Fixes `issue 3835 <https://github.com/plone/Products.CMFPlone/issues/3835>`_.\n [maurits] (#3835)\n\n\nInternal:\n\n\n- Update configuration files.\n [plone devs] (7723aeaf)\n\n\n4.0.3 (2023-03-21)\n------------------\n\nBug fixes:\n\n\n- Remove circular dependency on Products.CMFPlone. Use moved imports from plone.base instead.\n [jensens] (#38)\n\n\nInternal:\n\n\n- Update configuration files.\n [plone devs] (a533099d)\n\n\n4.0.2 (2023-02-07)\n------------------\n\nBug fixes:\n\n\n- Declare all dependencies.\n [gforcada] (#1)\n\n\n4.0.1 (2023-01-30)\n------------------\n\nInternal:\n\n\n- Update code to current Plone meta standards.\n [gforcada, maurits] (#1)\n\n\n4.0.0 (2022-12-02)\n------------------\n\nBug fixes:\n\n\n- Final release for Plone 6.0.0 (#600)\n\n\n4.0.0b2 (2022-08-31)\n--------------------\n\nNew features:\n\n\n- Creating per-user keyrings in order to have session invalidation on log-out (server-side logout). [david-batranu] (#26)\n- Cookie attribute SameSite is set to \"Lax\". (#29)\n\n\n4.0.0b1 (2022-07-22)\n--------------------\n\nBug fixes:\n\n\n- Update the plone-session bundle to depend on the plone bundle instead of the jquery bundle, which no longer exists.\n [davisagli] (#27)\n\n\n4.0.0a1 (2022-04-08)\n--------------------\n\nBreaking changes:\n\n\n- Register single resource bundle for Plone 6 for our optional refresh support.\n An upgrade step for this is in plone.app.upgrade, otherwise we leave partial bundles behind.\n Removed our own upgrade step and profile, as they are not needed when migrating from Plone 5.2.\n [maurits] (#24)\n\n\n3.7.5 (2020-06-24)\n------------------\n\nBug fixes:\n\n\n- Fix hard dependency indirection with Products.CMFPlone (plone.session must not import from it).\n [jensens] (#20)\n- Only setup a session when the current user is the requested user.\n [maurits] (#57)\n\n\n3.7.4 (2020-04-22)\n------------------\n\nBug fixes:\n\n\n- Minor packaging updates. (#1)\n\n\n3.7.3 (2019-04-29)\n------------------\n\nBug fixes:\n\n\n- Fix nameclash resulting in ImportWarning by renaming ``profiles.py`` to ``hiddenprofiles.py``. [jensens] (#16)\n\n\n3.7.2 (2019-02-13)\n------------------\n\nBug fixes:\n\n\n- Remove last traces of ZopeTestCase. [gforcada] (#14)\n\n\n3.7.1 (2018-09-28)\n------------------\n\nBug fixes:\n\n- Python3 compatibility [ale-rt, pbauer]\n\n\n3.7.0 (2018-04-03)\n------------------\n\nNew features:\n\n- Use Resource Registry for JS/CSS registration\n [jensens]\n\nBug fixes:\n\n- Fixes #11: Pseudo CSS-file is not loaded anymore in merged legacy bundle.\n Now optional JS based auto-refresh support is working again.\n [jensens]\n\n- Modernize README.\n [jensens]\n\n\n3.6.2 (2018-02-02)\n------------------\n\nBug fixes:\n\n- Hardening default timeout of session.\n This solves Plone security internal issue #126 (severity low, non-critical).\n Session timeout is now the same as in mod_auth_tkt: 2h.\n This follows the recommendation of the German BSI (federal office for security in the information technology).\n See https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Internetsicherheit/isi_web_server_checkliste_Plone.pdf\n For existing sites this can be adjusted at https://HOST/acl_users/session/manage_propertiesForm\n The Plone Security Team follows the BSI and recommends administrators to change the setting in their existing Plone sites.\n [jensens]\n\n- Add Python 2 / 3 compatibility\n [vincero]\n\n\n3.6.1 (2016-12-02)\n------------------\n\nBug fixes:\n\n- Hide uninstall profile in install listings.\n [jensens]\n\n\n3.6.0 (2016-05-26)\n------------------\n\nNew:\n\n- Added uninstall profile. [maurits]\n\n\n3.5.6 (2015-07-27)\n------------------\n\n- Cleanup: Pep8, plone style conventions, better readbility.\n [jensens]\n\n\n3.5.5 (2015-04-29)\n------------------\n\n- Default encoding for createTicket to be compatible with unicode\n user_id [puittenbroek]\n\n\n3.5.4 (2015-03-21)\n------------------\n\n- Move tests from PloneTestCase to plone.app.testing.\n [tomgross]\n\n\n3.5.3 (2013-03-05)\n------------------\n\n- Revert accidental change to default encoding for validateTicket.\n [davisagli]\n\n3.5.2 (2012-12-09)\n------------------\n\n- Use constant time comparison when validating tickets. This is part of the fix\n for https://plone.org/products/plone/security/advisories/20121106/23\n [davisagli]\n\n3.5.1 - 2012-11-02\n------------------\n\n- Handle encoded strings for userids.\n [elro]\n\n- Add MANIFEST.in.\n [WouterVH]\n\n- Fix for Python 2.4 under 64bit Mac OS generating incorrect mod_auth_tkt\n digests\n [MatthewWilkes]\n\n\n3.5 - 2011-03-19\n----------------\n\n- Disable secure cookie in development mode, to ease local testing.\n [hannosch]\n\n\n3.4 - 2011-03-02\n----------------\n\n- Added metadata.xml to the default profile.\n [vincentfretin]\n\n\n3.3 - 2010-12-30\n----------------\n\n- Update login.asp to match Plone 4.1 SSO login form functionality.\n [elro]\n\n- Fix remove.\n [elro]\n\n\n3.2 - 2010-12-14\n----------------\n\n- Remove ``external_login`` method, the normal ``logged_in`` script can be\n used instead.\n [elro]\n\n- Fix refresh.\n [elro]\n\n\n3.1 - 2010-11-11\n----------------\n\n- Remove ``SessionPlugin.validate(ticket)`` method, it was not required.\n [elro]\n\n\n3.1b1 - 2010-10-18\n------------------\n\n- Session refresh.\n [elro]\n\n- ``SessionPlugin.validate(ticket)`` method.\n [elro]\n\n- Close <input> tags properly (chameleon compatibility)\n [swampmonkey]\n\n\n3.0 - 2010-07-18\n----------------\n\n- Update package metadata.\n [hannosch]\n\n\n3.0b5 - 2010-06-13\n------------------\n\n- Make sure to load the right meta ZCML.\n [hannosch]\n\n- Avoid deprecation warnings under Zope 2.13.\n [hannosch]\n\n- Removed dependency on GPL licensed Products.PloneTestCase.\n [hannosch]\n\n\n3.0b4 - 2010-05-23\n------------------\n\n- Make the ``secure`` option of cookies configurable. This allows to restrict\n cookies to HTTPS connections alone. This closes\n http://dev.plone.org/plone/ticket/7897.\n [pfurman, hannosch]\n\n- Use the standard libraries doctest module, instead of the deprecated one\n from zope.testing.\n [hannosch]\n\n- Marked the session cookie as ``HTTPOnly``.\n [hannosch]\n\n- PEP8 cleanup.\n [hannosch]\n\n- Relicense as BSD following PF Board decision.\n http://lists.plone.org/pipermail/membership/2010-April/001123.html\n [elro]\n\n\n3.0b3 - 2010-04-09\n------------------\n\n- Example IIS login form and documentation. This builds on work by Hanno and I\n at Jarn for Centrepoint.\n [elro]\n\n- Support authentication by an external form, perhaps one running on an IIS\n server with Integrated Windows Authentication.\n [elro]\n\n\n3.0b2 - 2010-03-09\n------------------\n\n- Prefix setupSession with underscore, the method should be unavailable TTW.\n [elro]\n\n- Catch a ComponentLookupError in authenticateCredentials.\n [elro]\n\n\n3.0b1 - 2010-03-05\n------------------\n\n- Add back the hash management UI with added functionality to set shared\n secret.\n [elro]\n\n- Add properties for cookie domain and ticket validity timeout.\n [elro]\n\n- Use mod_auth_tkt format cookies to give us a session validity timeout.\n By default we use a more secure HMAC SHA-256 hashing scheme. An MD5 based\n scheme compatible with other mod_auth_tkt implementations is optional.\n [elro]\n\n- Remove the source component indirection.\n [elro]\n\n\n3.0a2 - 2009-11-13\n------------------\n\n- Remove hash management UI which had been accidentally re-merged.\n [davisagli]\n\n\n3.0a1 - 2009-04-04\n------------------\n\n- Avoid deprecation warning for the sha module in Python 2.6.\n [hannosch]\n\n- Declare test dependencies in an extra.\n [hannosch]\n\n- Specify package dependencies.\n [hannosch]\n\n- Fixed the remaining tests to work with the new keyring backend.\n [hannosch]\n\n- Fixed a component lookup call in the HashSession source.\n [davisagli, hannosch]\n\n- Update default (hash) session source to use plone.keyring to manage the secrets.\n [wichert]\n\n\n2.1 - 2009-02-04\n----------------\n\n- Protect the setupSession call with the ManageUsers permission.\n Fixes possible privilege escalation.\n [maurits]\n\n- Make the cookie lifetime configurable. Patch by Rok Garbas.\n Fixes http://dev.plone.org/plone/ticket/7248\n [wichert, garbas]\n\n\n2.0 - 2008-07-08\n----------------\n\n- Fix CSRF protection for managing server secrets via the Plone session\n plugin for PAS. Fixes http://dev.plone.org/plone/ticket/8176\n [witsch]\n\n\n1.2 - 2007-02-15\n----------------\n\n- Use the binascii base64 methods to encode/decode the session cookie. This\n prevents newlines being inserted in long cookies.\n [wichert]\n\n\n1.1 - 2007-09-11\n----------------\n\n- Use the userid instead of the login name in session identifiers. This has the\n side-effect of working around a bug in PAS which caused us to mix up users when\n the login name used was an inexact match for another login name.\n [wichert]\n\n\n1.0 - 2007-08-15\n----------------\n\n- First stable release\n [wichert]\n",
"bugtrack_url": null,
"license": "BSD",
"summary": "Session based auth tkt authentication for Zope",
"version": "4.0.4",
"project_urls": {
"Homepage": "https://github.com/plone/plone.session/"
},
"split_keywords": [
"pas",
"session",
"authentication",
"zope",
"auth_tkt"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0332a08f4a117bae8ac650504b62799ce75441acb1f1f97da7eb7ba9b2a3bfff",
"md5": "e3bd769d9d709d2257588ff2a12b51c4",
"sha256": "0949b2ad92f057e9558fb1a638940279dfac8a7fbcba74c22fb61acfcec1a328"
},
"downloads": -1,
"filename": "plone.session-4.0.4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "e3bd769d9d709d2257588ff2a12b51c4",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 28651,
"upload_time": "2023-09-08T09:30:45",
"upload_time_iso_8601": "2023-09-08T09:30:45.487846Z",
"url": "https://files.pythonhosted.org/packages/03/32/a08f4a117bae8ac650504b62799ce75441acb1f1f97da7eb7ba9b2a3bfff/plone.session-4.0.4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "f82c647ded47fac3e4cb714c34eef884cb46ea1ff1ae9f69a3d21e691c67c188",
"md5": "1976a867167eeecaa46c7bf2a4e1d50d",
"sha256": "35bd27a23601bcdb9dd4ab4bc43e83d3cb5cd495ea432bd1a3bc6ce94afe0fe5"
},
"downloads": -1,
"filename": "plone.session-4.0.4.tar.gz",
"has_sig": false,
"md5_digest": "1976a867167eeecaa46c7bf2a4e1d50d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 35792,
"upload_time": "2023-09-08T09:30:47",
"upload_time_iso_8601": "2023-09-08T09:30:47.466838Z",
"url": "https://files.pythonhosted.org/packages/f8/2c/647ded47fac3e4cb714c34eef884cb46ea1ff1ae9f69a3d21e691c67c188/plone.session-4.0.4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-08 09:30:47",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "plone",
"github_project": "plone.session",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "plone.session"
}