16 Jan
2003
16 Jan
'03
9:13 p.m.
Oliver Bleutgen wrote at 2003-1-16 15:42 +0100:
One thing that bothers me is that I cannot reliably (as in "in a generic way which always works") prevent users from sending their authentication unencrypted. The only ideas I have to tackle this without modifying zope itself are
- customize all pages which need authentication to check for "https://" in one of the relevant REQUEST attributes and do a redirect if not. - use apache with some magic to trigger redirection if it encounters authentication headers in the request. - use apache with some rewrite magic trigger redirection when a substring like "manage" is found in the request. You might use a "SiteAccess" access rule.
Dieter