michael nt milne schrieb: > Cookie authentication can't be secure. Also I have my doubts about > http authentication. I'll check though. Basicallx you want really good > encryption on any logon and password etc.
You want ssl for all. There is no security if you have "logon" encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login "encrypted" and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really "an extra step" because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope. As for the security aspect, a cooky with auth credentials is equally "secure" as Basic Auth. There is really not much of a difference - just other HTTP header-name. Regards Tino _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )