Cyrille Bonnet wrote:
thanks for your comment.
Stock Zope doesn't use cookie authentication, so you're actually
an alternate user folder product (which you don't specify and I don't
many of them, so I can't really comment much -- except that
with CookieCrumbler will indeed put you in this situation (or did the
I am using Plone 2.1.2, which uses CookieCrumbler. I wanted to put the
problem in a Zope perspective, though: this is why I didn't mention that.
The fact that Zope stores passwords as plain text is not the issue if
about man-in-the-middle attacks, though. The problem there is that
you are passing
passwords plain text in the request, and there is almost no way
around that unless you run an SSL (HTTPS) server. Which you should
if you want real security.
Sorry, I wasn't even aware that Zope stores the passwords in plain
text. My primary concern (for the moment) is passwords in plain text
in the request.
I had thought of SSL, but it doesn't solve the problem for WebDAV access.
I should also mention that the site is for the general public, with a
few users logging in.
Of course, I can't put the public site on SSL, so I would have to have
a separate URL for logged-in users with SSL. And I still have to worry
about the ZMI and WebDAV access.
It seems so much simpler to solve the problem at the root: change Zope
Encrypting your password database without moving your server login to
is only going to create inconvenience without improved security (you
longer send password reminders, for example) -- it's a false sense of
Ouch, so on top of my concerns, passwords are stored in plain text??
Thanks for pointing that out.
I'd rather encrypt passwords with a hash and reset the password if the
users have lost it. Is it possible to do that in Zope?
Obviously, I don't understand the ins and outs of Zope as well as most
people on this list. So, my questions really are:
* why is Zope authentication implemented that way?
* Is it really complex to secure the authentication process?
* Is there any documentation summing up Zope security (authentication
process, password storage, etc.)?
I am curious: If HTTPS is a hassle, then what do your security experts
have as a secure alternative?
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -