Stephan Goeldi wrote:
   > Wouldn't that reduce system security?

   I think he mean cookie-based authentication, as found on

   > >I am currently looking into implementing a login form to replace the
   > >standard BASIC authentication.


   Take a look at things like LoginManager and GUF which can do this sort
   of thing. They are standard replacements for the acl_users folder and
   will serve you a lot better than hackign around in

I am intersested in this issue as well since we are looking hard at security.
Here is my current thinking.

BASIC is not secure since the name:password is base64 encoded and not

DIGEST seems good in that it is encrypted and uses the
Challange/Response like BASIC for every HTTP transaction -- matched well
with the stateless nature of HTTP.

Cookie based methods seem to assume some notion of session to me which
fundamentally is a hack and is less secure than DIGEST, to wit:

 1) One should encrypt the info in the cookie
 2) How does one get around the stateless nature or HHTP in secure way using
    cookies? In other words, unless the HTTP transaction is challenged every 
    time, how do you really know that someone is not trying to slip into an 
    existing session?

Also on the server side I need to share the login info among Zope, and
Tomcat -- has a methodolgy been developed to do so?

Albert Boulanger

Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to