Shane Hathaway wrote:
On Tue, 20 Apr 2004, Peter Sabaini wrote:

Shane Hathaway wrote:

Even with unbreakable encryption of credentials after login, you still
send the username and password in the clear at login time, and sniffers
can reuse the session ID with ease.  You really shouldn't tell the Plone
users they will be safer with a session token, because they won't.

Why not make the login page itself SSL-protected then?

If you're going to go to the trouble of setting up SSL, why not encrypt
the whole session?  Let anonymous users come in via HTTP, then go all-SSL
for logged in users.  Sourceforge is a great example of this.

Yes, thats what I was talking about. In our Zope apps this is standard procedure -- we have one non-SSL welcome page at the most, everything else goes through HTTPS, makes sense IMHO for data acquisition applications with at least moderately sensitive data


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to