Yes, this is a good approach, however am concerned about management from locations that may not have a static IP (if IP changes, then you are hooped). I am also looking for a way that this might not be tied to where someone might be located. I don't know if there is a solution that could involve a rewrite rule to manage and having a specific URL (other than manage) for logging in that is only known to the manager. I guess the other thing I ought to be considering is another rule to prevent username passwords from being passed in URL as well. I am sure someone has probably done this as well. Regards, David On Friday, March 25, 2005, at 08:48 AM, Lennart Regebro wrote:
On Fri, 25 Mar 2005 08:30:05 -0400, David Pratt <fairwinds@eastlink.ca> wrote:
Hi. I am working on a financial product and it appears to me that the /manage login for Zope could be a potential problem if you are running zope since your server is easily guessed and one can go to this url and try passwords. Can someone suggest an alternative to this or some modification to Zope that might make this less obvious. I best I can think of would be to do a rewrite on the /manage url but I still need manager access to zmi through the web. I plan on forcing ssl through apache when making a connection on whatever URL is used to login. Any ideas?
You can set up apache so it only allows access to "manage*" from certain adresses, like your internal net and stuff. I don't have the examples at close hand,sorry. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/