David wrote:
I moved to Apache (for SSL) because its independent of Zope and it will give you SSL and the power of a world class server when you need it. ZopeSSL worked fine (when i last tried it, like zope 2.4x).

For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't get the snot pounded out of it my millions of users on a daily basis.

For me, that means for anything other than development on a private network, Apache sits in front of Zope. I'm not even sure I trust Squid yet ;-)

Pound? ZopeSSL? Don't make me laugh ;-)

As for this whole auth discussion, it depends on what your risks are. If you're serious, client certificate auth with Apache for every single request, and plenty of user education to explain exactly what that padlock means and why you need to click on it and read it every single session you start.

I suspect in this case, a simple cookie auth scheme that uses _ZopeId as its token will be more than secure enough for your needs...

Chris - security is HARD. No really, it's hard. Seriously, stop thinking
        you understand it, you don't, I don't, and likely no-one else
        around here does either ;-)

Simplistix - Content Management, Zope & Python Consulting
           - http://www.simplistix.co.uk

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to