Cyrille Bonnet wrote:
The main problem is that Zope stores the username and password in a
cookie in clear text (base64 encoded).
Stock Zope doesn't use cookie authentication, so you're actually talking
an alternate user folder product (which you don't specify and I don't
Even though it only happens in their internal network, my client
wasn't too happy, because it makes them vulnerable to a
I know, the odds of that happening are low, but storing the username
and password in clear text is clearly not best practice.
So, my question is: is there a way to secure Zope authentication?
many of them, so I can't really comment much -- except that SimpleUserFolder
with CookieCrumbler will indeed put you in this situation (or did the
The fact that Zope stores passwords as plain text is not the issue if
about man-in-the-middle attacks, though. The problem there is that you
passwords plain text in the request, and there is almost no way around
that unless you run an SSL (HTTPS) server. Which you should if you want
Encrypting your password database without moving your server login to HTTPS
is only going to create inconvenience without improved security (you can no
longer send password reminders, for example) -- it's a false sense of
So, IMHO, secure the server, then worry about password databases.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -