Attention

This document was written for an unsupported version of Plone, Plone 2.5.x, and was last updated 1492 days ago.

For more information, see the version support policy.

To learn how to upgrade to the current version of Plone, read the upgrade manual.

Make Plone more secure: Disabling Base64-encrypted cookies with SessionCrumbler

by Fabian Kochem last modified May 17, 2009 09:53 AM
By default, Plone creates a Base64-encrypted cookie that stores your password whenever you login. Here is a different approach that uses sessions instead of cookies for login data.

Introduction

Whenever you log into Plone, it saves a cookie on your machine to recognize you the next time you visit the site. Many sites do this in order to spare the user the process of logging on to the site every single time he wants to view a protected webpage, so this is intended as a usability feature and not a big deal at all. Usually the information stored in this cookie contains a session ID or the password encrypted in a secure manner, like MD5.

CMF however (and by extension, Plone) uses Base64 encryption to encrypt the password on your local machine which is generally considered to be a very unsafe encryption method, because everybody can easily decrypt it.

What is Base64?

Base64 is a binary-to-text encoding scheme whereby an arbitrary sequence of bytes is converted into a sequence of printable ASCII characters. The protocols POP3 and SMTP use this scheme to be able to transfer pictures in a readable text format,so you might get the point why this is not suitable to apply when it comes to encrypting data that should not, under any circumstances, be read by other persons who you don't trust.

I've never seen anything like that before, why should I care?

Well, whenever you leave your laptop or PC unattended (which happens more often than you might think), anyone can check your browser's cookie preferences, browse to a host that uses Plone and contains sensitive data and copy the Base64-encrypted data that is shown there. With an base64 decrypter it'd be no problem for him to see your password in clear text and log in to the site on his machine afterwards.

How can I secure my Plone site?

It's easy. Download SessionCrumbler, put it into your Products folder and restart Zope. Then use the ZMI and create a new SessionCrumbler object with the ID "session_authentification" in your Plone portal. Make sure to delete an object called "cookie_authentification" if there is one. Now restart your browser and log in again. Check your cookies. There is no Base64 anymore, because Zope will store your data in REQUEST.SESSION from now on.


Contribute

Something wrong or out of date? Anybody can edit or create a new article in the knowledge base. Simply create an account on this site, log in, and click the Edit button to contribute.