One more question: what about security? At this moment the SessionUID cookie is unencrypted and this is not very safe... or is this cookie tied up to Zope session? It is possible for someone else to tap into another person's session? Do you have any recommendation for enhancing security? regards, Hung Jung ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
On Tue, 8 Feb 2000, Hung Jung Lu wrote:
One more question: what about security?
At this moment the SessionUID cookie is unencrypted and this is not very safe... or is this cookie tied up to Zope session? It is possible for someone else to tap into another person's session?
It is possible if you could guess some other person's SessionUID which is essentially a long random number (0-100000000). In any case the SessionUID goes over the network unencrypted as are all Zope related security info. In effect you are limited by the HTTP protocol.
Do you have any recommendation for enhancing security?
If your users will be login in through HTTPS then I can device a scheme to make it more secure but as long as you use HTTP or your users do not login at all you are very limited. This I believe would be a problem for any Session management scheme. If anyone knows otherwise please let me know. If you worry about the SessionUID length then we can make it longer, much longer if you desire, but even now, chances of guessing someones SessionUID should be -approximately- (number of exisitng sessions)/100,000,000 per trial. Pavlos
Pavlos, Have you seen http://mars.post1.com/home/ngps/m2/ It's a https patch for Zope. Seems interesting Phil Phil.harris@zope.co.uk | -----Original Message----- | From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of | Pavlos Christoforou | Sent: Wednesday, February 09, 2000 3:20 PM | To: Hung Jung Lu | Cc: pavlos@gaaros.com; zope@zope.org | Subject: [Zope] Re: FSSession | | | On Tue, 8 Feb 2000, Hung Jung Lu wrote: | | > One more question: what about security? | > | > At this moment the SessionUID cookie is unencrypted | > and this is not very safe... or is this cookie tied | > up to Zope session? It is possible for someone else | > to tap into another person's session? | | It is possible if you could guess some other person's SessionUID which is | essentially a long random number (0-100000000). In any case the | SessionUID | goes over the network unencrypted as are all Zope related security info. | In effect you are limited by the HTTP protocol. | > | > Do you have any recommendation for enhancing security? | | If your users will be login in through HTTPS then I can device a | scheme to | make it more secure but as long as you use HTTP or your users do | not login | at all you are very limited. This I believe would be a problem for any | Session management scheme. If anyone knows otherwise please let me know. | | If you worry about the SessionUID length then we can make it longer, much | longer if you desire, but even now, chances of guessing someones | SessionUID should be -approximately- (number of exisitng | sessions)/100,000,000 per trial. | | Pavlos | | | _______________________________________________ | Zope maillist - Zope@zope.org | http://lists.zope.org/mailman/listinfo/zope | ** No cross posts or HTML encoding! ** | (Related lists - | http://lists.zope.org/mailman/listinfo/zope-announce | http://lists.zope.org/mailman/listinfo/zope-dev ) |
participants (3)
-
Hung Jung Lu -
Pavlos Christoforou -
Phil Harris