Plone 6.0.0b3 session refresh support broken?

Plone Support
1

With enabled session refresh support installed (plone.session) I got this, can anyone confirm that it throws these errors?

2022-11-01 21:23:31,894 ERROR   [Zope.SiteErrorLog:17][waitress-2] 1667334211.89413760.2980599866023238 http://localhost:8080/Plone/++webresource++6e394ff2-5e80-5880-9df7-ed8e59129465/acl_users/session/refresh
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 167, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 376, in publish_module
  Module ZPublisher.WSGIPublisher, line 271, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module Products.PDBDebugMode.wsgi_runcall, line 60, in pdb_runcall
  Module plone.session.plugins.session, line 432, in refresh
  Module plone.session.plugins.session, line 403, in _refreshSession
  Module plone.session.plugins.session, line 231, in _validateTicket
  Module plone.session.tktauth, line 246, in splitTicket
ValueError
2

I get the same error when installing the add-on plone.session 4.0.0b2 in a fresh installed Plone 6.0.0b3 (Classic UI):

2022-11-16 01:37:41,892 ERROR   [Zope.SiteErrorLog:35][waitress-2] ValueError: http://localhost:8081/Plone/++webresource++6e394ff2-5e80-5880-9df7-ed8e59129465/acl_users/session/refresh
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 167, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 376, in publish_module
  Module ZPublisher.WSGIPublisher, line 271, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 68, in call_object
  Module plone.session.plugins.session, line 432, in refresh
  Module plone.session.plugins.session, line 403, in _refreshSession
  Module plone.session.plugins.session, line 231, in _validateTicket
  Module plone.session.tktauth, line 246, in splitTicket
ValueError
3

The ticket passed to _validateTicket is b'61646d696e:61646d696e' (length 21). Expected is at least length 40 (see plone.session.tktauth, line 249, in splitTicket):

    digest = ticket[:32]
    val = ticket[32:40]
    remainder = ticket[40:]
4

After changing the admin password these errors seem not to appear.

I tested the following scenarios:

Scenario 1

  1. Install Plone (not only a site!)
  2. create a Site,
  3. change admin password. Enter a different password!
  4. No ValueError

Scenario 2

  1. Install Plone (not only a site!)
  2. create a Site,
  3. change admin password. Enter the same password, so that the cookie doesn't change
  4. ValueError is still there

Scenario 3

  1. Install Plone (not only a site!)
  2. create a Site,
  3. change admin password. Enter a different password!
  4. No ValueError
  5. keep your browser open (i.e. with the cookies)
  6. Install Plone (not only a site!) again
  7. visit with the ticket from the cookie.
  8. No ValueError
  9. remove the cookies and exit the browser (or visit Plone with another browser)
  10. visit Plone again without cookies
  11. ValueError is there again!!

Possible hint. The password is generated by cookiecutter-zope-instance (see post_gen_project.py#L58). I don't know how this password is handled by Zope.

5

This is the initial password feature by Zope itself. the cookiecutter creates an inituser file here

Then Zope grabs it and creates a user on first start (and IIRC removes the file), see 12. Users and Security — Zope 5.9 documentation

1 Like
6

maybe the password is too short and generate a short ticket? admin is a Zope user, maybe something change if logging in Zope or in Plone?

7

The error doesn't appear with a longer password. Tested with password='123qweasd123qweasd123qweasd'.

1 Like
8

The same problem occurs with SSHA encoding

from AuthEncoding import AuthEncoding
pw = AuthEncoding.pw_encrypt(password, 'SSHA')
fp.write(username.encode('utf-8') + b':' + pw + b'\n')
9

So the default password is too short?

10

it seems so. But changing it in the Management Interface works without poblems even if it is short (e.g. "admin")

11

Seems like a problem when creating the initial password. Zope maybe does not have all the pas plugin enabled and maybe something is missing. When you update from the web interface, all is ok.

1 Like
12

I can also confirm this behavior. Today i run in the same issue. If i change the password to length > 10, all is fine

13

The ValueError doesn't show when installing plone.session via RESTAPI in a fresh Plone site which hasn't been visited with a browser.

$ SITE_URL=http://localhost:8081/Plone
$ USER=admin:admin
$ curl -s -X GET ${SITE_URL}/@addons -H "Accept: application/json" --user ${USER} \
    | jq -r '.items[] | select(.id=="plone.session") | .is_installed'
false

$ curl -i -X POST ${SITE_URL}/@addons/plone.session/install -H "Accept: application/json" --user ${USER}
$ curl -s -X GET ${SITE_URL}/@addons -H "Accept: application/json" --user ${USER} \
    | jq -r '.items[] | select(.id=="plone.session") | .is_installed'
true

It shows first, when a page is requested from a browser. This could maybe be a problem with cookies.