Community site: login faq

I'm trying to build an internal Plone site in which viewing content requires logging into the Plone site. Here's what I would like to do.

-Use https (I don't need my own certificate. I'll use the default webfaction one) on all pages in which it is possible to log into my plone site so that the original sending of username and password is encrypted.

-Once logged in, my understanding is that username and password data is hashed by plone, so I don't need to use https for all pages behind the login. Thus, I would like to use http on the rest of the site so that I can cache the site, reduce memory usage, and make it faster.

I have found some documentation online of how to do make the login https and the rest of the site http here at the bottom of the page, but as a relative newcomer to the plone bandwagon, I'm unsure of how to make this happen. Additionally, I have found multiple login_form files and have become doubtful that I can get the solution in the link to work. This is my main hang up. When it comes to caching, I have already set up Varnish, as described here. The documentation on this was great. Is it possible to do what I originally asked using webfaction servers, zope, and plone?

asked 19 Aug '11, 00:33

accept rate: 0%

Yes, that's all possible.

First, to enable HTTPS:

  1. Create a new site in the control panel for your HTTPS site. It should have the same settings as your HTTP site, except you should check the "HTTPS" box.
  2. Patch your Zope to make it play nice with our X-Forwarded-SSL headers: Using Zope Over HTTPS (I recommend method #1 from that page.)

Next, to force HTTPS for logins only:

  1. Log into your ZMI.
  2. Go to portal_skins/custom inside of your Plone site in the ZMI.
  3. Select "Script (Python)" from the "Add" list near the upper right of the page, then click the "Add" button.
  4. Enter getLoginAction in the ID field then click "Add and Edit"
  5. Clear the default script from the form and replace it with the example from here: getLoginAction (change "http://yourdomain.com/" to whatever domain your site is using).
  6. Find the login_form template used by your site. If you've enabled OpenID support for your site, then it will be in portal_skins/ploneopenid. Otherwise, it will probably be in portal_skins/plone_login. When you find the template, click on it, then click the 'Customize' button.
  7. Find the form tag in the template code and change the action attribute to context/getLoginAction, like this: <form tal:attributes="action context/getLoginAction"

That's it!

permanent link

answered 19 Aug '11, 12:19

accept rate: 37%

Thanks for all your help with a newbie. I followed all your instructions, but I have one last question. When I arrive on the login form webpage, it is not in https. It's in http. Does something else need to be done?

(19 Aug '11, 16:30) dustin_the_wind

The steps outlined above do not force the login form to be presented via HTTPS. They force it to be submitted via HTTPS.

If you look at the form tag in the page source, you should see something like "action="https://domain.com/login_form"".

If you don't, then you did something wrong somewhere :)

(19 Aug '11, 16:37) seanf

now, when i arrive on the login form webpage, it's in http. However, after i log in. the whole site stays in https slowing it down. is there a way to force my plone instance back to http after the log in?

(19 Aug '11, 17:01) dustin_the_wind

Hmm, when I tested the steps above I did not have that problem. Feel free to open a support ticket via the control panel to let me know your account name and domain of your site, and I'll have a look.

(19 Aug '11, 17:07) seanf

don't know why, but the problem corrected itself. got rid of all evidence of an htaccess file even though it shouldn't have mattered.

(23 Aug '11, 00:15) dustin_the_wind

Hi all,

thanks for this information sharing!

What about the settings for the (sub)domains in the WF Control Panel (https://my.webfaction.com/domains)? When I click on a domain (e.g. mydomain.com), I get to choose who handles normal web traffic (http) and secure web traffic (https). I presume I have to choose my 'Plone4' HTTP site for the former, and my 'Plone4Secure' HTTPS site for the latter. Is that right?

Do you also have some advice on the javascript login?

(11 Mar '12, 12:53) Roger Erens

Your assessment with the HTTP and HTTPS sites is correct. In general, you will need two site records - this is described here.

As for the javascript login, since HTTPS redirection is handled on the back end, you shouldn't need to specify anything specific to ensure that the login is secure. If your login is using an absolute URL, just make sure to use https://.

(12 Mar '12, 01:54) ryans ♦♦

Thanks for this how-to. I'm getting a name error message; here's the form stanza:

        <form tal:attributes="action python:context/getLoginAction"

Here' the bottom section of the traceback :

 Module zope.tal.talinterpreter, line 343, in interpret
  Module zope.tal.talinterpreter, line 583, in do_setLocal_tal
  Module zope.tales.tales, line 696, in evaluate
   - URL: /Plone/login_form
   - Line 24, Column 8
   - Expression: <PythonExpr context/getLoginAction>
   - Names:
      {'container': <PloneSite at /Plone>,
       'context': <PloneSite at /Plone>,
       'default': <object object at 0x7fb197e6c4e0>,
       'here': <PloneSite at /Plone>,
       'loop': {},
       'nothing': None,
       'options': {'args': (),
                   'state': <Products.CMFFormController.ControllerState.ControllerState object at 0x7cc2910>},
       'repeat': <Products.PageTemplates.Expressions.SafeMapping object at 0x6715af8>,
       'request': <HTTPRequest, URL=http://dev.theprosperos.org/Plone/acl_users/credentials_cookie_auth/require_login>,
       'root': <Application at >,
       'template': <ControllerPageTemplate at /Plone/login_form>,
       'traverse_subpath': [],
       'user': <SpecialUser 'Anonymous User'>}
  Module Products.PageTemplates.ZRPythonExpr, line 48, in __call__
   - __traceback_info__: context/getLoginAction
  Module PythonExpr, line 1, in <expression>
NameError: name 'getLoginAction' is not defined

Tried defining the getLoginAction in the tal:define stanza but no go.

(08 Apr '12, 12:19) williamF

I just logged into your site and didn't run into any errors. If you're still having some sort of issue, then can you please open a support ticket via the control panel to give us the details?

(08 Apr '12, 13:24) seanf

Right - stupid me. I mothballed the offending login_form.pt file. It's reinstated now, and I've opened a ticket.

(08 Apr '12, 15:54) williamF

Aha, I should have spotted this earlier!

It looks like the problem is that you've mixed a TAL path expression with a Python expression for your action attribute.

That won't work - you need to use one or the other, ie either all TAL like this...

tal:attributes="action context/getLoginAction"

... or all Python like this ...

tal:attributes="action python:context.getLoginAction()"

Either one of those changes should eliminate the error you're seeing now.

(08 Apr '12, 17:19) seanf

Hi guys, this looks very helpful, but can this not be made into a Plone product installable through buildout?

(15 Apr '14, 18:01) danimal

This is a pretty old HOWTO, so I'm not even sure that it works with the latest versions of Plone.

That said, sure, you could make this into an installable product if you need to. There might already be products available to do this, such as httpslogin.

(15 Apr '14, 18:08) seanf
showing 5 of 13 show 8 more comments

Not really an answer but a comment :

This how-to has served me well for several years. Both the HTTPRequest.py patch and the GetLoginAction script seemed to work fine in Plone 3.4.4. I think they're broken with Plone 4.3, however. I tried using the Method 2 patch for HTTPRequest.py and found that the code had changed significantly.

I figured, why worry about it if the GetLoginAction script works ? My aim is a secure login, right ?

That worked well when I was developing the Plone 4.3 site for migration. But when I added the Virtual Host Monster at my zope root (as part of moving the site into production), suddenly the GetLoginAction script didn't work anymore (page source showed login form "action=http..." instead of "action=https...."). I guess because the address identifiers in the .py script are getting scrambled by the VHM so the script isn't doing anything.

Posting here as this is tangentially relevant to this thread. Will open a separate question for this problem.

permanent link

answered 02 Dec '14, 02:02

accept rate: 0%

Thank you for your input.

(02 Dec '14, 02:35) johns
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 19 Aug '11, 00:33

question was seen: 10,532 times

last updated: 02 Dec '14, 02:35