Cyrille Bonnet wrote:

The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded).

Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack.

I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice.

So, my question is: is there a way to secure Zope authentication?

Stock Zope doesn't use cookie authentication, so you're actually talking about an alternate user folder product (which you don't specify and I don't know that
many of them, so I can't really comment much -- except that SimpleUserFolder
with CookieCrumbler will indeed put you in this situation (or did the last time
I checked)).

The fact that Zope stores passwords as plain text is not the issue if you're worried about man-in-the-middle attacks, though. The problem there is that you are passing passwords plain text in the request, and there is almost no way around that unless you run an SSL (HTTPS) server. Which you should if you want real security.

Encrypting your password database without moving your server login to HTTPS
is only going to create inconvenience without improved security (you can no
longer send password reminders, for example) -- it's a false sense of security.

So, IMHO, secure the server, then worry about password databases.


Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to