[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Using Basic Zope Objects
webmaster@zope.org
webmaster@zope.org
Tue, 24 Sep 2002 09:37:49 -0400
A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/BasicObject.stx#2-88
---------------
It is important to realize that keeping sensitive data in a
session data object is potentially insecure unless the connection
between browsers and Zope is encrypted in some way. Don't store
sensitive information such as phone numbers, addresses, account
numbers, credit card numbers or any other personal information
about your site visitors unless you've secured the connection
between Zope and site visitors via SSL.
% Anonymous User - Sep. 24, 2002 8:49 am:
So the actual session data is stored on the client side (in a cookie or form variables)? Wouldn't it be
better (more secure and less traffic) if the session data was instead stored on the server, where the client
kept/transmitted only the session id?
% Anonymous User - Sep. 24, 2002 9:11 am:
No. The session data is stored on the server. It is referred to only by a cookie on the client. The security
risk revolves around the fact that if an interceptor gets the cookie value, they have access to the data on
the server.
% Anonymous User - Sep. 24, 2002 9:23 am:
Well then it doesn't seem that the interceptor would necessarily have *access* to the data (in the sense that
he could see, for example, the credit card number). But he could pose as the user, which would allow him to
*use* the credit card number.
% Anonymous User - Sep. 24, 2002 9:37 am:
Yes, the user could use the credit card number. He might not be able to see the credit card number if you're
absolutely sure that the user can never see a representation of the session data. But if the interceptor
found another hole in the system, he might be able to see the credit card number.