Cyrille Bonnet wrote:

Hi Terry,

thanks for your comment.

Stock Zope doesn't use cookie authentication, so you're actually talking about an alternate user folder product (which you don't specify and I don't know that many of them, so I can't really comment much -- except that SimpleUserFolder with CookieCrumbler will indeed put you in this situation (or did the last time
I checked)).

I am using Plone 2.1.2, which uses CookieCrumbler. I wanted to put the problem in a Zope perspective, though: this is why I didn't mention that.

The fact that Zope stores passwords as plain text is not the issue if you're worried about man-in-the-middle attacks, though. The problem there is that you are passing passwords plain text in the request, and there is almost no way around that unless you run an SSL (HTTPS) server. Which you should if you want real security.

Sorry, I wasn't even aware that Zope stores the passwords in plain text. My primary concern (for the moment) is passwords in plain text in the request.

I had thought of SSL, but it doesn't solve the problem for WebDAV access.

I should also mention that the site is for the general public, with a few users logging in.

Of course, I can't put the public site on SSL, so I would have to have a separate URL for logged-in users with SSL. And I still have to worry about the ZMI and WebDAV access.

It seems so much simpler to solve the problem at the root: change Zope authentication.

Encrypting your password database without moving your server login to HTTPS is only going to create inconvenience without improved security (you can no longer send password reminders, for example) -- it's a false sense of security.

Ouch, so on top of my concerns, passwords are stored in plain text?? Thanks for pointing that out.

I'd rather encrypt passwords with a hash and reset the password if the users have lost it. Is it possible to do that in Zope?

Obviously, I don't understand the ins and outs of Zope as well as most people on this list. So, my questions really are:

* why is Zope authentication implemented that way?
* Is it really complex to secure the authentication process?
* Is there any documentation summing up Zope security (authentication process, password storage, etc.)?





I am curious: If HTTPS is a hassle, then what do your security experts have as a secure alternative?

All best,


Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to