Thanks to all for your feedback: I understand better what is going on now.

SSL is definitely the way to go, that would solve all my problems.

Now, just to push the problem a bit further: ideally, I'd like to put SSL just on the login form. Zope would authenticate the user in that request and return a "session ID" that would then be passed back and forth in each request (without SSL).

That would be a balanced approach to security: I don't have to put SSL across the entire site. The site will be vulnerable to man-in-the-middle attacks, but only for the duration of a session.

Is it possible to do that with Zope? Or does Zope require to identify the user on each request?

Thanks for the help.


bruno desthuilliers wrote:
Cyrille Bonnet wrote:

Hi there,

I have been telling all my clients about how great Zope is for security:
fine-grained permissions, security framework, roles, etc.

Now, one of my clients has a security expert who took a close look at
how Zope authenticates users. The results were not good.

The main problem is that Zope stores the username and password in a
cookie in clear text (base64 encoded).

*Zope* don't do that. It's the (infamous) CookieCrumbler products that
is responsible for this horror.

Even though it only happens in their internal network, my client wasn't
too happy, because it makes them vulnerable to a man-in-the-middle attack.

I know, the odds of that happening are low, but storing the username and
password in clear text is clearly not best practice.

That's an understatement.

So, my question is: is there a way to secure Zope authentication?

yes : use https.

Zope maillist  -
**   No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to