"Ross J. Reedstrom" wrote:
Oleg Machulski wrote: <snipped Oleg pointing out security problems with cookie authentication>
I agree Oleg, that cookies aren't really any better than plain old basic authentication on the client<->server side. However, I see I failed to mention in that note what my set up is - I figured since I'd been spamming the list with my problems, everyone knew about them ;-) I'm running Zope under Apache-SSL, so the front side communications are all encrypted.
But COOKIES are stored on the client-side in a plaintext file. hehe. :-) besides, adding expiration feature to authentication system rules.
The leak out the backend to the Db was my only exposure.
Of course, fixing how Zope sets cookies and deals with passwords doesn't do much good if the client still sends a cleartext password at first login - there needs to be some client side support for some form of encryption on the password before it get's sent to the server for the very first time. I beleive :-) that if we use SSL, it doesn't matter.
if https:// server could generate cookie for http://, then we could authenticate user on ssl host, generate complicated cookie, and then switch to non_SSL connection, but as far is I know, such tricks require special settings to be done in the browser setup, and these settings may lower security of the client.
Unfortunately, nothing beyond Basic Auth. seems to be standard, except full blown SSL, encrypting thre entire traffic stream (and it does slow things down). I suppose a Java applet would work, or perhaps even some really clever javascript? Eventually, this turns into a Diffie-Hellman key exchange sort of thing, doesn't it? Maybe, but using JavaScript seems to be insecure. Of course it does not affect server security, but lot of people prefere to have their JavaScript OFF.
So seems that the only possible solution is to maintain fully encrypted connections. -- Best regards Oleg Machulski ---------------------------------------------------- http://www.geocities.com/SiliconValley/Network/7671/ mailto:oleg_machulski@geocities.com