[Sorry - may mailer cheated on my. Once more ] This is not in Zope yet, I am working on making it so Here's how I do it in PLSQL: Two steps: 1) the form action element calls the login method using https:// <form method="post" action="https://...../mts2.login"> This is not necessary however, you could still use <form method="post" action="mts2.login"> because 2) The login method checks to see if it is called from a valid port. This is the first statement in the method (or procedure as it is called in plsql-ish): begin -- check if we are secure if not wutl.is_ssl then raise ssl_not_used; end if; Here is the is_ssl procedure: function is_ssl return boolean is current_port varchar2(5); begin -- is_ssl returns true if the port number of the call is from valid ports -- SSL uses 443 as standard -- use cgi environment variable: SERVER_PORT = 443 current_port := owa_util.get_cgi_env('SERVER_PORT'); if NVL(to_number(current_port), 0) in (443) then return true; end if; return false; -- if null or not eq SSL_PORT end; Now in Zope we have access to more info than I have with the PLSQL WebToolikit. Besides using the Server Port, I could also look att the URL, the Server URL and some more elements in the REQUEST object, and whatch for URL:s that begin with "https:". What I am not sure about is how this would work with Apache running as a Proxy. Anyway; this works for me in the PLSQL things I run, and makes sure that the requests I accpet in my programs are used only with SSL in known ports. This of course assumes knowledge that I actually run SSL on the specified ports. /dario ----- Original Message ----- From: "Bill Welch" <bill@carbonecho.com> To: <zope@zope.org> Sent: Thursday, March 22, 2001 8:16 PM Subject: Re: [Zope] Zope security management

Please share with us how you make sure that the login form can only be used over SSL.

Bill.