Shane Hathaway wrote:
On Tue, 20 Apr 2004, Chris Withers wrote:


I wonder how many Plone users are aware their passwords are stored
unencrypted in client cookies which fly back and forth waiting to be
snapped up by packet sniffers, XSS, and JS attacks ;-)



Even with unbreakable encryption of credentials after login, you still
send the username and password in the clear at login time, and sniffers
can reuse the session ID with ease.  You really shouldn't tell the Plone
users they will be safer with a session token, because they won't.

Shane

Why not make the login page itself SSL-protected then?

peter.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://mail.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to