Thanks to all for your feedback: I understand better what is going on now.
SSL is definitely the way to go, that would solve all my problems.
Now, just to push the problem a bit further: ideally, I'd like to put
SSL just on the login form. Zope would authenticate the user in that
request and return a "session ID" that would then be passed back and
forth in each request (without SSL).
That would be a balanced approach to security: I don't have to put SSL
across the entire site. The site will be vulnerable to man-in-the-middle
attacks, but only for the duration of a session.
Is it possible to do that with Zope? Or does Zope require to identify
the user on each request?
Thanks for the help.
bruno desthuilliers wrote:
Cyrille Bonnet wrote:
I have been telling all my clients about how great Zope is for security:
fine-grained permissions, security framework, roles, etc.
Now, one of my clients has a security expert who took a close look at
how Zope authenticates users. The results were not good.
The main problem is that Zope stores the username and password in a
cookie in clear text (base64 encoded).
*Zope* don't do that. It's the (infamous) CookieCrumbler products that
is responsible for this horror.
Even though it only happens in their internal network, my client wasn't
too happy, because it makes them vulnerable to a man-in-the-middle attack.
I know, the odds of that happening are low, but storing the username and
password in clear text is clearly not best practice.
That's an understatement.
So, my question is: is there a way to secure Zope authentication?
yes : use https.
Zope maillist - Zope@zope.org
** No cross posts or HTML encoding! **
(Related lists -