On Fri, Mar 31, 2006, Cyrille Bonnet wrote:
>Thanks to all for your feedback: I understand better what is going on now.
>SSL is definitely the way to go, that would solve all my problems.
>Now, just to push the problem a bit further: ideally, I'd like to put 
>SSL just on the login form. Zope would authenticate the user in that 
>request and return a "session ID" that would then be passed back and 
>forth in each request (without SSL).
>That would be a balanced approach to security: I don't have to put SSL 
>across the entire site. The site will be vulnerable to man-in-the-middle 
>attacks, but only for the duration of a session.

I've done this using custom skins, copying the login_form and
modifying it to use https when submitting.

INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

There are three kinds of men. The ones that learn by reading. The few who
learn by observation.  The rest of them have to pee on the electric fence
for themselves. -- Will Rogers
Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to