"It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL mode
once authenticated."
Yes, I've got the whole site going over SSL and the :8080 port re-directing to SSL.
However on my main server where I have other sites I was thinking about implementing SSL for the login areas to make them fully secure. From what you are saying though you'd basically need to make a whole site go over SSL and just implementing that on the login areas isn't worth it?
I still have an issue with IE6 over SSL where trying to create new pages or edit content, produces a server not found and the padlock dissapears. I have TLS 1.0 and SSL 2.3, 3.0 selected in advanced. IE 6.02. Firefox 1.5 (predictably..) works fine but I don't want to have to get all my users to install it even though I'd like to :-)
On 2/11/06, Philip Kilner <
[EMAIL PROTECTED]> wrote:
Hi Michael,
michael nt milne wrote:
> I've implemented what's outlined in the make private site
> documentation and it works fine on Plone 2.1.1. No content is available
> apart from the site-map page (doesn't list content) and the contact form
> but I can figure that out separately.
>
Since neither of those counts as "content" as such, I think that that is
legitimate and as you say, you can work around those if it matters to
you (In cases where I've wanted to work around such things, I've simply
called a script that redirects with an error message if the the
appropriate conditions aren't met.
> Yes I think I like the HTML login page way to authenticate. It feels
> more usable. And I don't think I'll use an Apache login box at all. Most
> users will find it hard remembering one password and with cookie
> authentication over SSL you can go straight into the site. Brilliant.
>
Agreed. Apache does a great job of managing the SSL, securing the data
over public wires, but that's a 100% generic task whereas the
authentication is tightly bound to your application.
It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL mode
once authenticated.
> I'm revisting some of the points made in this thread though about
> security. It does seem that Zope and Plone as you say, are at odds on this.
>
Because Zope is an application server, it has to expose it's mechanism -
Plone has an easier job because it has a specific task to do (e.g.
manage content), and so can take an approach which is much simpler to
fly. In Plone, always do things the Plone way - working at the Zope
level may potentially subvert Plone's mechanisms for achieving things.
--
Regards,
PhilK
Email: [EMAIL PROTECTED]
PGP Public key: http://www.xfr.co.uk
Voicemail & Facsimile: 07092 070518
"You'll find that one part's sweet and one part's tart:
say where the sweetness and the sourness start."
- Tony Harrison
--
Michael
_______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )