Stephan Goeldi wrote:
Wouldn't that reduce system security?
I think he mean cookie-based authentication, as found on zope.org.
I am currently looking into implementing a login form to replace the standard BASIC authentication.
GĂ©rard, Take a look at things like LoginManager and GUF which can do this sort of thing. They are standard replacements for the acl_users folder and will serve you a lot better than hackign around in User.py... I am intersested in this issue as well since we are looking hard at security. Here is my current thinking. BASIC is not secure since the name:password is base64 encoded and not encrypted. DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP. Cookie based methods seem to assume some notion of session to me which fundamentally is a hack and is less secure than DIGEST, to wit: 1) One should encrypt the info in the cookie 2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session? Also on the server side I need to share the login info among Zope, and Tomcat -- has a methodolgy been developed to do so? Regards, Albert Boulanger aboulanger@ldeo.columbia.edu