What is SessionCrumbler

SessionCrumbler provides a session based login for userfolders which does not support this. The SessionCrumbler implementation relies on the CookieCrumbler from CMFCore and therefore requires CMFCore product. It is meant to be used in a CMF/Plone or icoya site to provide logins which can time out when the user hasnt done any action within a period of time.

Compared to CookieCrumbler the SessionCrumbler doesnt use a cookie to store the authentication information, but stores the __ac authentication inside the current users Zope session (REQUEST.SESSION).

Why using SessionCrumbler

• Basically CookieCrumbler is highly insecure by just storing the password base64 encoded inside a cookie. This cookie is stored on the local clients hard disk and transmitted on every single request. SessionCrumbler transmits the password only one time during the login process. Afterwards just the session ID is transmitted with each request.

• Further the sessions (which means the login as well) automatically timeout when the user doesn't do anything in a certain period of time. See the README.txt inside SessionCrumblers folder how to configure this.

See also

• Howto share Sessions among multiple ZEO clients.

Fedback wanted

You are using SessionCrumbler? Please provide me feedback either per mail or by commenting this page. Thanks!