Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good.
On 1/25/06, Tino Wildenhain <[EMAIL PROTECTED]> wrote: > michael nt milne schrieb: > > Cookie authentication can't be secure. Also I have my doubts about > > http authentication. I'll check though. Basicallx you want really good > > encryption on any logon and password etc. > > You want ssl for all. There is no security if you have "logon" encrypted > in a stateless protocol as HTTP is. Basically with HTTP you identify > for every single request. So if you login "encrypted" and say, handle > the session with a one time key (You could write a userfolder or plugin > for PAS to do that) the one time key is still vulnerable if not sent > over encrypted channel. So Using apache as ssl proxy is easy and secure > and does exactly what you want. There is not really "an extra step" > because you set up apache or the like anyway on a moderate to heavy used > site as frontent to zope. > > As for the security aspect, a cooky with auth credentials is equally > "secure" as Basic Auth. There is really not much of a difference - > just other HTTP header-name. > > Regards > Tino > _______________________________________________ Zope maillist - [email protected] http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )
