Pavlos, Have you seen http://mars.post1.com/home/ngps/m2/ It's a https patch for Zope. Seems interesting Phil Phil.harris@zope.co.uk | -----Original Message----- | From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of | Pavlos Christoforou | Sent: Wednesday, February 09, 2000 3:20 PM | To: Hung Jung Lu | Cc: pavlos@gaaros.com; zope@zope.org | Subject: [Zope] Re: FSSession | | | On Tue, 8 Feb 2000, Hung Jung Lu wrote: | | > One more question: what about security? | > | > At this moment the SessionUID cookie is unencrypted | > and this is not very safe... or is this cookie tied | > up to Zope session? It is possible for someone else | > to tap into another person's session? | | It is possible if you could guess some other person's SessionUID which is | essentially a long random number (0-100000000). In any case the | SessionUID | goes over the network unencrypted as are all Zope related security info. | In effect you are limited by the HTTP protocol. | > | > Do you have any recommendation for enhancing security? | | If your users will be login in through HTTPS then I can device a | scheme to | make it more secure but as long as you use HTTP or your users do | not login | at all you are very limited. This I believe would be a problem for any | Session management scheme. If anyone knows otherwise please let me know. | | If you worry about the SessionUID length then we can make it longer, much | longer if you desire, but even now, chances of guessing someones | SessionUID should be -approximately- (number of exisitng | sessions)/100,000,000 per trial. | | Pavlos | | | _______________________________________________ | Zope maillist - Zope@zope.org | http://lists.zope.org/mailman/listinfo/zope | ** No cross posts or HTML encoding! ** | (Related lists - | http://lists.zope.org/mailman/listinfo/zope-announce | http://lists.zope.org/mailman/listinfo/zope-dev ) |