All, PHPlib (http://phplib.netuse.de) has a piece of javascript that creates MD5 hashes from the entries in a form: so you would never have to pass passwords in clear text, as long as the hash agrees with the one created server side, login is successful. the PHPlib docs describe it better than me, but it works great. hth Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "albert boulanger" <aboulang@ldeo.columbia.edu> Cc: <zope@zope.org>; <wei@ldeo.columbia.edu>; <bentz@bentz-engineering.com> Sent: Tuesday, August 15, 2000 2:13 PM Subject: Re: [Zope] Implementing a login form instead of BASIC authentication
albert boulanger wrote:
DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP.
AFAIK, no browsers (maybe Mozilla, but that has the stability of a house of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either :(
1) One should encrypt the info in the cookie
Definitely
2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session?
Hehe, welcome to one of the biggest challenges on the web...
...that, and getting your CSS to eb compatible with all the major browsers ;-)
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )