On Tue, 8 Feb 2000, Hung Jung Lu wrote:
One more question: what about security?
At this moment the SessionUID cookie is unencrypted and this is not very safe... or is this cookie tied up to Zope session? It is possible for someone else to tap into another person's session?
It is possible if you could guess some other person's SessionUID which is essentially a long random number (0-100000000). In any case the SessionUID goes over the network unencrypted as are all Zope related security info. In effect you are limited by the HTTP protocol.
Do you have any recommendation for enhancing security?
If your users will be login in through HTTPS then I can device a scheme to make it more secure but as long as you use HTTP or your users do not login at all you are very limited. This I believe would be a problem for any Session management scheme. If anyone knows otherwise please let me know. If you worry about the SessionUID length then we can make it longer, much longer if you desire, but even now, chances of guessing someones SessionUID should be -approximately- (number of exisitng sessions)/100,000,000 per trial. Pavlos