Besides the AUTHORIZED_USER field in the http header what else does zope use to identify an http packet from a browser ?. I am just wondering can I not masquerade as a user by setting the http header using httplib or some such utility ?. I have not seen any session ids in the REQUEST variable which is supposed to contain all the variables in the browser request thanks sathya -- ########################## necessity is the mother of invention ##########################
sam wrote:
Besides the AUTHORIZED_USER field in the http header
AUTHENTICATED_USER is an object created after a client authenticates, it is not an http header nor is it derived from the Authentication header. The Authentication header contains a user id and base64 encoded password that is used to authenticate the client.
what else does zope use to identify an http packet from a browser ?.
I assume by 'packet' you mean request. HTTP is stream based.
I am just wondering can I not masquerade as a user by setting the http header using httplib or some such utility ?.
No. You can authenticate yourself with such a client, but you must still have a valid password. You cannot just insert any old user id into the Authentication header and expect Zope to believe you. That wouldn't exactly be very good security. -Michel
On Fri, 17 Mar 2000, you wrote:
No. You can authenticate yourself with such a client, but you must still have a valid password. You cannot just insert any old user id into the Authentication header and expect Zope to believe you. That wouldn't exactly be very good security. Thanks. I would think then this password is succeptible to the same pitfalls as sending clear text passwords over the network which can be stolen. In which case making users to use https is a good idea ? sam ########################## necessity is the mother of invention ##########################
No. You can authenticate yourself with such a client, but you must still have a valid password. You cannot just insert any old user id into the Authentication header and expect Zope to believe you. That wouldn't exactly be very good security. Thanks. I would think then this password is succeptible to the same pitfalls as sending clear text passwords over the network which can be stolen. In
Yeah this is probably the best idea. Zope sits quite nicely behind apache-ssl Benno
participants (3)
-
Ben Leslie -
Michel Pelletier -
sam