Re: [Zope] Implementing a login form instead of BASIC authentication
Wouldn't that reduce system security? I am currently looking into implementing a login form to replace the standard BASIC authentication. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Implementing a login form instead of BASIC authentication
Meeting Maker Webmaster writes: I am currently looking into implementing a login form to replace the standard BASIC authentication. Have a look at GUF or the new LoginManager. They do something similar to what you want. Either, you can use them directly, or learn how they work and realize your own solution. Dieter ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Implementing a login form instead of BASIC authentication
Stephan Goeldi wrote: Wouldn't that reduce system security? I think he mean cookie-based authentication, as found on zope.org. I am currently looking into implementing a login form to replace the standard BASIC authentication. Gérard, Take a look at things like LoginManager and GUF which can do this sort of thing. They are standard replacements for the acl_users folder and will serve you a lot better than hackign around in User.py... cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Implementing a login form instead of BASIC authentication
Stephan Goeldi wrote: Wouldn't that reduce system security? I think he mean cookie-based authentication, as found on zope.org. I am currently looking into implementing a login form to replace the standard BASIC authentication. Gérard, Take a look at things like LoginManager and GUF which can do this sort of thing. They are standard replacements for the acl_users folder and will serve you a lot better than hackign around in User.py... I am intersested in this issue as well since we are looking hard at security. Here is my current thinking. BASIC is not secure since the name:password is base64 encoded and not encrypted. DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP. Cookie based methods seem to assume some notion of session to me which fundamentally is a hack and is less secure than DIGEST, to wit: 1) One should encrypt the info in the cookie 2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session? Also on the server side I need to share the login info among Zope, and Tomcat -- has a methodolgy been developed to do so? Regards, Albert Boulanger [EMAIL PROTECTED] ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Implementing a login form instead of BASIC authentication
albert boulanger wrote: DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP. AFAIK, no browsers (maybe Mozilla, but that has the stability of a house of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either :( 1) One should encrypt the info in the cookie Definitely 2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session? Hehe, welcome to one of the biggest challenges on the web... ...that, and getting your CSS to eb compatible with all the major browsers ;-) cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Re: [Zope] Implementing a login form instead of BASIC authentication
All, PHPlib (http://phplib.netuse.de) has a piece of javascript that creates MD5 hashes from the entries in a form: so you would never have to pass passwords in clear text, as long as the hash agrees with the one created server side, login is successful. the PHPlib docs describe it better than me, but it works great. hth Phil [EMAIL PROTECTED] - Original Message - From: "Chris Withers" [EMAIL PROTECTED] To: "albert boulanger" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, August 15, 2000 2:13 PM Subject: Re: [Zope] Implementing a login form instead of BASIC authentication albert boulanger wrote: DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP. AFAIK, no browsers (maybe Mozilla, but that has the stability of a house of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either :( 1) One should encrypt the info in the cookie Definitely 2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session? Hehe, welcome to one of the biggest challenges on the web... ...that, and getting your CSS to eb compatible with all the major browsers ;-) cheers, Chris ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev ) ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Implementing a login form instead of BASIC authentication
Hello, I am currently looking into implementing a login form to replace the standard BASIC authentication. I've looked into AccessControl/User.py and there seems to be a validate function that would enable me to do it. The only problem is that I am unable to figure out how to use it. The basic idea is to have a forms that requires the username and the password. This will then enable users to log into the system. Thank you for your help. Best regards, Gérard Métrailler Jr. Meeting Maker Inc. ... the intelligent choice for collaborative scheduling Email: [EMAIL PROTECTED] Web: http://www.meetingmaker.com ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )