On 3/30/06, Cyrille Bonnet <[EMAIL PROTECTED]> wrote:
> The main problem is that Zope stores the username and password in a
> cookie in clear text (base64 encoded).

As mentioned before, Zope doesn't, but CookieCrumbler (and hence Plone) does.
And, the security expert is not much of a security expert at all, if
he doesn't know this:

You will only get real web security with SSL.

> Even though it only happens in their internal network, my client wasn't
> too happy, because it makes them vulnerable to a man-in-the-middle attack.

All plain http is vulnerable to that, which is why If you care about
security, you need to use https.

> So, my question is: is there a way to secure Zope authentication?

Yup. See above. :)

> Also, if it is good, why is not part of default Zope??

Good question. :-)

However, today you want to use PAS. The new fancy modular user folder
for Zope. I don't know if it works with Plone yet, though.

Lennart Regebro, Nuxeo     http://www.nuxeo.com/
CPS Content Management     http://www.cps-project.org/
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to