Yes I agree, having checked on basic http authentication I need SSL. Basic http and cookie auth is insecure. I just feel that zope should have this facility even with a self signed certificate, so that you could do it without Apache and had more options. The option to even just have it on for site logon would be good. On 1/25/06, Tino Wildenhain <tino@wildenhain.de> wrote:
michael nt milne schrieb:
Cookie authentication can't be secure. Also I have my doubts about http authentication. I'll check though. Basicallx you want really good encryption on any logon and password etc.
You want ssl for all. There is no security if you have "logon" encrypted in a stateless protocol as HTTP is. Basically with HTTP you identify for every single request. So if you login "encrypted" and say, handle the session with a one time key (You could write a userfolder or plugin for PAS to do that) the one time key is still vulnerable if not sent over encrypted channel. So Using apache as ssl proxy is easy and secure and does exactly what you want. There is not really "an extra step" because you set up apache or the like anyway on a moderate to heavy used site as frontent to zope.
As for the security aspect, a cooky with auth credentials is equally "secure" as Basic Auth. There is really not much of a difference - just other HTTP header-name.
Regards Tino