On 5/7/05, Chris McDonough <[EMAIL PROTECTED]> wrote:
> Web Folders pass cookies around too, FWIW, so it's probably not strictly
> necessary to use http basic auth.  But without using http basic auth,
> there is no way to log in unless you have them go to the web interface
> first, then launch a web folder, so maybe impractical.

That's exactly what's happening at the moment; the WebDAV access is
linked to via the web interface after they log in (it's only one small part
of a larger system). They log in via the web, gaining a cookie which
is passed to the Explorer 'web folders' thing, so when they click on the
link to the WebDAV part of the site the cookie is still valid and they don't
have to log in to WebDAV. *

All I'm trying to do is boost the security of the system overall by ensuring
an attacker can't simply sidestep the 'three login failure lockout' just by
repeatedly trying to log in via WebDAV.


* A thought occurs to me after writing it like this. Might it be possible
to forbid HTTP Basic auth logins to WebDAV, so that only cookies
are the allowed authentication type?

> - C
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to