On Fri, Mar 31, 2006, Cyrille Bonnet wrote: >Thanks to all for your feedback: I understand better what is going on now. > >SSL is definitely the way to go, that would solve all my problems. > >Now, just to push the problem a bit further: ideally, I'd like to put >SSL just on the login form. Zope would authenticate the user in that >request and return a "session ID" that would then be passed back and >forth in each request (without SSL). > >That would be a balanced approach to security: I don't have to put SSL >across the entire site. The site will be vulnerable to man-in-the-middle >attacks, but only for the duration of a session.
I've done this using custom skins, copying the login_form and modifying it to use https when submitting. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 There are three kinds of men. The ones that learn by reading. The few who learn by observation. The rest of them have to pee on the electric fence for themselves. -- Will Rogers _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )