Thanks to all for your feedback: I understand better what is going on now. SSL is definitely the way to go, that would solve all my problems. Now, just to push the problem a bit further: ideally, I'd like to put SSL just on the login form. Zope would authenticate the user in that request and return a "session ID" that would then be passed back and forth in each request (without SSL). That would be a balanced approach to security: I don't have to put SSL across the entire site. The site will be vulnerable to man-in-the-middle attacks, but only for the duration of a session. Is it possible to do that with Zope? Or does Zope require to identify the user on each request? Thanks for the help. Cyrille bruno desthuilliers wrote:
Cyrille Bonnet wrote:
Hi there,
I have been telling all my clients about how great Zope is for security: fine-grained permissions, security framework, roles, etc.
Now, one of my clients has a security expert who took a close look at how Zope authenticates users. The results were not good.
The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded).
*Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror.
Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack.
I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice.
That's an understatement.
So, my question is: is there a way to secure Zope authentication?
yes : use https.