Hi Chris,

I need to redirect all my http requests to the login_form of the
CookieCrumble to https, so, I wrote this rule in apache:

Why bother? Just because the form is secure doesn't make cookie authentication any more secure.
Yes, you're right. That is exactly the conclusion I also figured out
after finding an interesting article in plone.org, which talks about this:

* Secure login without plain text passwords

The only Problem is that the product mentioned there, SessionCrumbler,
is based on the CMF CookieCrumbler and not the Standalone version.

I guess it wouldn't be  difficult to port; I even tried it by replacing
the CMF imports by the Standalone version, but it didn't work. Zope
hangt and I even didn't get a TraceBack. Anyway, I'm not going to spend
more time trying to get this working. I will perhaps try to do some
patch to the basic http authentication like CookieCrumbler does, but
instead of showing the login forms, I want to do a redirect if the
request is insecure, so, you will still get the popup window, but in https.

Do you say in https once authenticated?

Yes, the problem, if you read my post was that with the apache
RewriteRule, I could authenticated myself in ssl, but after that the
browser took me back again to http -> See the article; it exposes
clearly the problem.


Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to