Stephan Goeldi wrote:

Wouldn't that reduce system security?

I think he mean cookie-based authentication, as found on zope.org.

...

I am currently looking into implementing a login form to replace the standard BASIC authentication.

Gérard, Take a look at things like LoginManager and GUF which can do this sort of thing. They are standard replacements for the acl_users folder and will serve you a lot better than hackign around in User.py... I am intersested in this issue as well since we are looking hard at security. Here is my current thinking. BASIC is not secure since the name:password is base64 encoded and not encrypted. DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP. Cookie based methods seem to assume some notion of session to me which fundamentally is a hack and is less secure than DIGEST, to wit: 1) One should encrypt the info in the cookie 2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session? Also on the server side I need to share the login info among Zope, and Tomcat -- has a methodolgy been developed to do so? Regards, Albert Boulanger aboulanger@ldeo.columbia.edu

All, PHPlib (http://phplib.netuse.de) has a piece of javascript that creates MD5 hashes from the entries in a form: so you would never have to pass passwords in clear text, as long as the hash agrees with the one created server side, login is successful. the PHPlib docs describe it better than me, but it works great. hth Phil phil.harris@zope.co.uk ----- Original Message ----- From: "Chris Withers" <chrisw@nipltd.com> To: "albert boulanger" <aboulang@ldeo.columbia.edu> Cc: <zope@zope.org>; <wei@ldeo.columbia.edu>; <bentz@bentz-engineering.com> Sent: Tuesday, August 15, 2000 2:13 PM Subject: Re: [Zope] Implementing a login form instead of BASIC authentication

albert boulanger wrote:

...

DIGEST seems good in that it is encrypted and uses the Challange/Response like BASIC for every HTTP transaction -- matched well with the stateless nature of HTTP.

AFAIK, no browsers (maybe Mozilla, but that has the stability of a house of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either :(

...

1) One should encrypt the info in the cookie

Definitely

...

2) How does one get around the stateless nature or HHTP in secure way using cookies? In other words, unless the HTTP transaction is challenged every time, how do you really know that someone is not trying to slip into an existing session?

Hehe, welcome to one of the biggest challenges on the web...

...that, and getting your CSS to eb compatible with all the major browsers ;-)

cheers,

Chris

_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )