25 Mar
2005
25 Mar
'05
7:59 p.m.
David Pratt wrote at 2005-3-25 08:30 -0400:
I am working on a financial product and it appears to me that the /manage login for Zope could be a potential problem if you are running zope since your server is easily guessed and one can go to this url and try passwords. Can someone suggest an alternative to this or some modification to Zope that might make this less obvious.
You can use a "Post Authentication Hook" to perform additional tests. There are two competing proposals for such a hook (one in the collector and one on my Zope page). I doubt that any one has been integrated in the actual Zope code. But it should not be difficult to apply a patch. -- Dieter