Shane Hathaway wrote:
Even with unbreakable encryption of credentials after login, you still
send the username and password in the clear at login time, and sniffers
can reuse the session ID with ease. You really shouldn't tell the Plone
users they will be safer with a session token, because they
Shane Hathaway wrote:
Making cookie authentication secure is surprisingly difficult, and you've
barely taken one step.
So how does PAS do cookie auth then?
Chris
--
Simplistix - Content Management, Zope Python Consulting
- http://www.simplistix.co.uk
Shane Hathaway wrote:
Hmm. I really wasn't expecting any new code yet. Session cookies are a
very significant maintenance burden in Zope, and it's not in my interest
to support them. If you don't mind, I think I'll release a version of CC
without any session support, then I'll give Chris
Shane Hathaway wrote:
On Tue, 20 Apr 2004, Chris Withers wrote:
I wonder how many Plone users are aware their passwords are stored
unencrypted in client cookies which fly back and forth waiting to be
snapped up by packet sniffers, XSS, and JS attacks ;-)
Even with unbreakable encryption of
On Tue, 20 Apr 2004, Peter Sabaini wrote:
Shane Hathaway wrote:
Even with unbreakable encryption of credentials after login, you still
send the username and password in the clear at login time, and sniffers
can reuse the session ID with ease. You really shouldn't tell the Plone
users
Chris Withers wrote:
Shane Hathaway wrote:
Hmm. I really wasn't expecting any new code yet. Session cookies are a
very significant maintenance burden in Zope, and it's not in my interest
to support them. If you don't mind, I think I'll release a version of CC
without any session support, then
Shane Hathaway wrote:
On Tue, 20 Apr 2004, Peter Sabaini wrote:
Shane Hathaway wrote:
Even with unbreakable encryption of credentials after login, you still
send the username and password in the clear at login time, and sniffers
can reuse the session ID with ease. You really shouldn't tell the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/04/2004, at 4:28 PM, Kapil Thangavelu wrote:
fwiw, Simon Eisenmann checked in a SessionStorage product into the
collective which does much the same. released under the zpl
http://cvs.sourceforge.net/viewcvs.py/collective/SessionCrumbler/
Looks
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 13/04/2004, at 1:40 PM, Shane Hathaway wrote:
On 04/12/04 09:04, Chris Withers wrote:
For me, that's worth patching for, it's up to you if you want to
include it in an offical CookieCrumbler release or not ;-)
BTW, I wouldn't mind if you or Stuart
On Sat, 17 Apr 2004, Stuart Bishop wrote:
BTW, I wouldn't mind if you or Stuart took over maintainership of
CookieCrumbler after the next release. Then you'd be able to take it
any direction you want. I don't believe its model can support well
the things you're asking it to do, but
fwiw, Simon Eisenmann checked in a SessionStorage product into the
collective which does much the same. released under the zpl
http://cvs.sourceforge.net/viewcvs.py/collective/SessionCrumbler/
-kapil
___
Zope-Dev maillist - [EMAIL PROTECTED]
From: Shane Hathaway [EMAIL PROTECTED]
Making cookie authentication secure is surprisingly difficult, and you've
barely taken one step. I don't want CookieCrumbler to go in this
direction at all. A much more fruitful endeavor would be to simply add
digest authentication support to Zope's
On 12/04/2004, at 10:39 PM, Shane Hathaway wrote:
On Mon, 12 Apr 2004, Chris Withers wrote:
I think the attached patch (against CookieCrumbler 1.1) makes
CookieCrumbler a little more secure.
Your patch won't work with multiple ZEO app servers. It appears to
store
the tokens in a module global.
On 04/12/04 09:04, Chris Withers wrote:
For me, that's worth patching for, it's up to you if you want to include
it in an offical CookieCrumbler release or not ;-)
BTW, I wouldn't mind if you or Stuart took over maintainership of
CookieCrumbler after the next release. Then you'd be able to
14 matches
Mail list logo
