Cyrille Bonnet wrote:
Hi there,
I have been telling all my clients about how great Zope is for security: fine-grained permissions, security framework, roles, etc.
Now, one of my clients has a security expert who took a close look at how Zope authenticates users. The results were not good.
The main problem is that Zope stores the username and password in a cookie in clear text (base64 encoded).
*Zope* don't do that. It's the (infamous) CookieCrumbler products that is responsible for this horror.
Even though it only happens in their internal network, my client wasn't too happy, because it makes them vulnerable to a man-in-the-middle attack.
I know, the odds of that happening are low, but storing the username and password in clear text is clearly not best practice.
That's an understatement.
So, my question is: is there a way to secure Zope authentication?
yes : use https. -- bruno desthuilliers développeur bruno@modulix.org http://www.modulix.com