On 3/30/06, Cyrille Bonnet <[EMAIL PROTECTED]> wrote: > The main problem is that Zope stores the username and password in a > cookie in clear text (base64 encoded).
As mentioned before, Zope doesn't, but CookieCrumbler (and hence Plone) does. And, the security expert is not much of a security expert at all, if he doesn't know this: You will only get real web security with SSL. > Even though it only happens in their internal network, my client wasn't > too happy, because it makes them vulnerable to a man-in-the-middle attack. All plain http is vulnerable to that, which is why If you care about security, you need to use https. > So, my question is: is there a way to secure Zope authentication? Yup. See above. :) > Also, if it is good, why is not part of default Zope?? Good question. :-) However, today you want to use PAS. The new fancy modular user folder for Zope. I don't know if it works with Plone yet, though. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/ _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )