Security: acl_users' passwds encrypted?
Hi, all. Just a quick question I can't find the answer to... When the user is prompted by Zope to login (user defined role, limited page access, etc.), are the username and password sent from the client to the Zope server in clear text or are they encrypted somehow? Thanks in advance. -Gary
On Thu, 8 Feb 2001, Gary Perez wrote:
When the user is prompted by Zope to login (user defined role, limited page access, etc.), are the username and password sent from the client to the Zope server in clear text or are they encrypted somehow?
It depends on whether you use HTTP or HTTPS. On HTTP passwords go absoluteley unencripted. Oleg. ---- Oleg Broytmann http://www.zope.org/Members/phd/ phd@phd.pp.ru Programmers don't die, they just GOSUB without RETURN.
Even using Cookie mode authentication with the LoginManager product, the user/password data is merely base64 encoded (not encrypted). Someday I like to get a challenge/response authentication going, where the server sends a one-time challenge value and the client/browser uses MD5 (via javascript) to hash the user's password combined with that one-time code. This works great in PHPlib. But I don't understand the architecture of LoginManager well enough yet to hack it. Someone pointed out that the ArsDigita Community System (for AOLserver ("openNSD"!)) also has a well-thought-out user authentication system that might serve as a good model for extending LoginManager. On Thu, Feb 08, 2001 at 09:01:51PM +0300, Oleg Broytmann wrote:
It depends on whether you use HTTP or HTTPS. On HTTP passwords go absoluteley unencripted.
-- Fred Yankowski fred@OntoSys.com tel: +1.630.879.1312 Principal Consultant www.OntoSys.com fax: +1.630.879.1370 OntoSys, Inc 38W242 Deerpath Rd, Batavia, IL 60510, USA
Even using Cookie mode authentication with the LoginManager product, the user/password data is merely base64 encoded (not encrypted).
Someday I like to get a challenge/response authentication going, where the server sends a one-time challenge value and the client/browser uses MD5 (via javascript) to hash the user's password combined with that one-time code. This works great in PHPlib. But I don't understand the architecture of LoginManager well enough yet to hack it.
Better yet, wider client support for HTTP Digest authentication (a standards-based equivalent to the above). Brian Lloyd brian@digicool.com Software Engineer 540.371.6909 Digital Creations http://www.digicool.com
participants (4)
-
Brian Lloyd -
Fred Yankowski -
Gary Perez -
Oleg Broytmann