Bill Welch wrote:
To achieve genuine security, you have to do something about the 'password in the clear' problem.
part 1) With basic auth (the zope default), the user's name and password are sent in the clear with every request.
part 2) With form based login (login manager, zmc), the user's name and password are sent in the clear when the login form is submitted.
Solution: Have to go with form based login that uses ssl to send user's name and password. Unfortunately, in my experience, ssl support for zope is only thrid party (no offense to Mr. Siong or Mr. Bickers, thanks for your work so far) and hard to integrate, when this is really a core requirement.
I think this is something that DC has to handle.
The standards-compliant way to deal with this problem is to use HTTP Digest Auth, as specified in RFC 2617: http://www.ietf.org/rfc/rfc2617.txt Doing digest auth properly is a future direction for Zope, because it will help our WebDAV integration story (tools like cadaver do digest auth already). Given the availability of Apache+SSL (and otherz like Roxen) to front-end Zope, we are highly unlikely to add SSL into the Zope core; it incurs non-trivial development and configuration costs for those who *don't* need it. Tres. -- =============================================================== Tres Seaver tseaver@digicool.com Digital Creations "Zope Dealers" http://www.zope.org