On 3/30/06, Cyrille Bonnet <cyrille@3months.com> wrote:
The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded).
As mentioned before, Zope doesn't, but CookieCrumbler (and hence Plone) does. And, the security expert is not much of a security expert at all, if he doesn't know this: You will only get real web security with SSL.
Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack.
All plain http is vulnerable to that, which is why If you care about security, you need to use https.
So, my question is: is there a way to secure Zope authentication?
Yup. See above. :)
Also, if it is good, why is not part of default Zope??
Good question. :-) However, today you want to use PAS. The new fancy modular user folder for Zope. I don't know if it works with Plone yet, though. -- Lennart Regebro, Nuxeo http://www.nuxeo.com/ CPS Content Management http://www.cps-project.org/