[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Using Basic Zope Objects
webmaster@zope.org
webmaster@zope.org
Tue, 24 Sep 2002 09:11:50 -0400
A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/BasicObject.stx#2-88
---------------
It is important to realize that keeping sensitive data in a
session data object is potentially insecure unless the connection
between browsers and Zope is encrypted in some way. Don't store
sensitive information such as phone numbers, addresses, account
numbers, credit card numbers or any other personal information
about your site visitors unless you've secured the connection
between Zope and site visitors via SSL.
% Anonymous User - Sep. 24, 2002 8:49 am:
So the actual session data is stored on the client side (in a cookie or form variables)? Wouldn't it be
better (more secure and less traffic) if the session data was instead stored on the server, where the client
kept/transmitted only the session id?
% Anonymous User - Sep. 24, 2002 9:11 am:
No. The session data is stored on the server. It is referred to only by a cookie on the client. The security
risk revolves around the fact that if an interceptor gets the cookie value, they have access to the data on
the server.