Plone secure login, the secure partΒΆ

Tags: plone

In Plone secure login, the insecure part I showed the insecure login via http and the insecure authentication cookie. Here's a way in which you can improve the security.

Secure sessions

If you install SessionCrumbler according to the installation instructions (basically replacing cookie_crumbler with session_crumbler), the login mechanism will use a cookie with a session ID instead of a cookie with the login data. Using LiveHttpHeaders:

   Cookie: _ZopeId="58768270A2TfqKoWLsw"

This is one less thing to worry about. It comes at the price of some disadvantages, see plip 48 :

  • In the standard setup, sessions apparently only allow 1000 users. And every session takes up some memory, so if your site has lots of logged in users, you can get a performance hit.

    You can solve the 1000-user-limitation with a config setting, though of course not the memory hit, in your zope.conf:

         maximum-number-of-session-objects 10000

  • With a multiple-zeo-setup you need to look at

To remove the cookie_authentication and replace it with a session_authentication, you can use the following code in your installer:

    # Add this as a method in your (App)
    if 'cookie_authentication' in portal.objectIds():
        out.write("Cookie auth found, removed it.\n")
        SCfactory = portal.manage_addProduct['SessionCrumbler'].manage_addSC

After you've done that, you now suddenly have a problem with your plone logins. It turns out that CMFPlone/skins/plone_login/login_form.cpt and CMFPlone/skins/plone_portlets/ have a hardcoded line in there that checks for cookie_authentication:

    auth nocall:here/cookie_authentication|nothing

You'll have to change that to session_authentication in both places.

Secure https

When you use https instead of http, you encrypt all your traffic. Cookies, form parameters, the page itself, all. The drawback is that https is not cached, which is a good way of killing the performance of your site :-)

You can get away with doing the minimum: just use https for sending the login data. The came_from parameter that plone passes along in the login form 'll put you right back in normal http country afterwards, so that's OK.

So you need to change the login portlet and the login_form to have https as their action instead of just http. The login mechanism should redirect back to the http site afterwards. But you probably only want this on the production site, not on the development machines. It can get more complicated: say that you have both a production and a preview site, then you'd need to take care of not accidentally redirecting from preview to production or the other way around.

Pair programming with Daniel Nouri, I created a script that would return the normal "portal url + /login_form" action for sending the login data, except when the URL starts with a specific string that you use to identify your partially-https-fronted production website:

    ## Script (Python) "getLoginAction"
    ##bind container=container
    ##bind context=context
    ##bind namespace=
    ##bind script=script
    ##bind subpath=traverse_subpath
    ##title=return the action for logging in, taking into account https

    portal_url = context.portal_url()
    NEEDS_HTTPS = ['',
    for url_start in NEEDS_HTTPS:
        if portal_url.startswith(url_start):
            portal_url = portal_url.replace('http://', 'https://')

    return portal_url + '/login_form'

You need to call this script from both the login_form and the portlet_login. The following example is from the login_form.cpt:

      <form tal:attributes="action context/getLoginAction"

Now the only thing left to do is to make sure your webserver accepts https connections, at least to /login_form.

(Old imported comments)
"just use plone.session" by reinout on 2008-03-03 22:36:17
Plone.session already does everything you want. Secure, fast.

The only thing left is that the initial username/password from the login form are still send unencrypted unless you use https there.
"(App)" by on 2008-02-27 11:06:07
what's the directory of "(App)"? Is the sessioncrumbler just suit for version earlier than plone 3.0? Because I am using plone 3.0.4, and I found there is already a session plugin in PlonePAS.
"Tnx" by Lucas Andion on 2006-05-25 11:22:11

Sorry for the big title, i dont realize this was structured text :D

I had done a zpt in my product pointing to a "home made" login page and it works... well, it works but if you must put that zpt with "Anonumous" permission ;) ... well i was wondering about how the logout was made since I cant made it with a $product_url/logout, but i read your comment, an i realized that I forgot the python scripts in there... i will have a look.

Since this is usefull for someone, i will put my results on:

Tnx again

"Copy and modify plone's ones" by Reinout van Rees on 2006-05-25 09:02:07
I haven't done "plain" zope work in two years or so, so there's a big chance that I'm mistaken.

The login_form as such isn't the important part, though you'll need some fill-in form with the correct form parameters. A 'view source' will help just as much. The important part is the python (controller?) script that login_form's form action points to. Copy that from plone, including the .metadata file. Then you can probably figure it out from there.

I wasn't really aware that sessioncrumbler was plone-only. My initial suspicion would be that it would include a template or so that's usable in plain zope. Perhaps search for 'session' in the product search one more time?

Good luck!
"How i change the login_form?" by Lucas on 2006-05-25 08:12:56

Hi, i was wondering what i must do to change (to make in my case,cause i dont use plone, only zope) the login_form ... i see in SessionCrumbler:

auto_login_page = login_form unauth_page = '' logout_page = logged_out

Must i make a zpt/dtml in my product and Mandatory name it login_form or auto_login_page?

If it's that way, i guess the way to logout is as simply as making a link somewhere that points to: $your_object_with_sessioncrumbler_url/logout_page , is this correct?

Thnks, and greetings for the page, its hard to find zope doc. from real users (not developers).

"No realbasic knowledge here :-)" by Reinout van Rees on 2006-05-24 13:58:05
Sorry, I don't know a thing about realbasic :-)

In principle, though, using a https site is the same as using a http site. Using the realbasic equivalent of url_open('') or so should work. Assuming that realbasic supports https just like http.

Also, logging into a https site isn't really different from logging into http. http basic authentication (the normal http login popup) is still the same, only encrypted over https. If you need cookies for login (like plone), that also works the same as http.

So: figure out how your browser does it and mimic that. Hope it helps!
"Just What is the HTTPS Login in Form?" by Ray Fleischmann on 2006-05-24 13:51:46

Hello, I'm sorry if this is the wrong place to ask this question but I have been searching around and so far this is the closest that I have come to what I an searching for. I'm trying to use RealBasic to write a program that will login to a HTTPS site to extrate a report that I currently must copy and paste out of. I'm trying to locate the exact steps needed. If you could point me in the right direction I would greatly appreciate it. My email address is Thanks in advance!!!!!

"Haven't looked at it yet" by Reinout van Rees on 2006-05-10 15:39:00
I haven't looked at plonePAS yet, to my shame. Too many customers, though that doesn't excuse me :-)

My boss forwarded a plone.user mailinglist message (asking for the same thing) asking me "whether that was a nice challenge or what!", so I'll get around to it for sure.

No quick answer, sorry!
"Session auth & PlonePAS" by ET on 2006-05-10 15:27:17

How do you get session authentication working with PlonePAS? logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):