[Zope-CMF] CookieCrumbler security issue?

[Lennart Regebro]

Chris Withers wrote:
> I know this is what happens with basic auth when it's not over https 
> too, but I'm intersted in making Cookie Crumbler authentication more 
> secure...
> 
> My initial idea was to crypt the details sent to the user, but this 
> really doesn't help too much other than obscuring the actual username 
> and password. The crypted cookie could still be used just as effectively 
> to gain unauthorised access.
> 
> What solutions would you guys propose?

Well, CookieCrumbler (and other cookie based auths) have one main 
purpose: Making it possible to log out!

If you want higher security, then I think something else should be used. 
That said, making it securer is not necessarily a bad idea. For example, 
instead of username + password sent, a ticket could be sent as a cookie, 
and the zope-server could keep track of which user each ticket belonged 
too. That way the username and password is send only once, when you send 
the login form.

It's not secure, but it's an improvement. In fact, it's enough of an 
improvement that I might try implementing it in PluggableUserFolders 
cookie_identification plugin. Hmm...