David wrote:
I moved to Apache (for SSL) because its independent of Zope and it will
give you SSL and the power of a world class server when you need it.
ZopeSSL worked fine (when i last tried it, like zope 2.4x).
For SSL and HTTP sanitisation, I wouldn't trust anything that doesn't
get the snot pounded out of it my millions of users on a daily basis.
For me, that means for anything other than development on a private
network, Apache sits in front of Zope. I'm not even sure I trust Squid
yet ;-)
Pound? ZopeSSL? Don't make me laugh ;-)
As for this whole auth discussion, it depends on what your risks are. If
you're serious, client certificate auth with Apache for every single
request, and plenty of user education to explain exactly what that
padlock means and why you need to click on it and read it every single
session you start.
I suspect in this case, a simple cookie auth scheme that uses _ZopeId as
its token will be more than secure enough for your needs...
Chris - security is HARD. No really, it's hard. Seriously, stop thinking
you understand it, you don't, I don't, and likely no-one else
around here does either ;-)
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
_______________________________________________
Zope maillist - Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )