[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Simon Eisenmann simon at struktur.de
Tue Oct 12 04:58:18 EDT 2004 

On Tue, 2004-10-12 at 10:00 +0200, Jean-Marc Orliaguet wrote:
> Simon Eisenmann wrote:
> 
> I have tried SessionCrumbler:
> 
> Problem #1: performance drops
Why should sessioncrumbler be slower than cookiecrumbler? I havent seen
any slowdown by switching to SessionCrumbler. If its really slower then
there is a bug somewhere which surely can be resolved.

> 
> Problem #2: is it really more secure?
> I suppose that it is going to be marketed as a "more secure 
> CookieCrumbler" for Plone.
> Fine, except that it is not. It opens a new series of possible attacks 
> while giving the user a feeling of security. The only thing an attacker 

It really is more secure, but it is not secure. Acually anything is more
secure than CookieCrumbler. CookieCrumbler stores the user password in
plain text on the filesystem of the browser. This is worst case.
Security with SessionCrumbler is completely done on the server side,
which is usually a lot more secure than the client system.

I am not proposing a secure login for plone.

What security itches SessionCrumbler removes:

 - password no longer transmitted on every single request
   in plain text

 - password no longer stored in plain text on the clients filesystem

What security itches SessionCrumbler creates:

 - sessions can be overtaken by guessing the session id

 - server side scripts could read the password from the session


> to be adapted to not expose it in the URL.

The session which is used is the usualy zope session. The session id is
transmitted inside a cookie anyway. So no applications need any
modification for this.

You have to know that the session date itself is not stored on the
client side ( a cookie or something ). Its stored inside the servers
memory and so a lot harder to reach.

Again i am not talking about secure logins .. i am just talking about
removing a major security issue.

Best regards,
 Simon

-- 
Simon Eisenmann

[ mailto:simon at struktur.de ]

[ struktur AG | Friedrichstr. 14 | 70174 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:info at struktur.de ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-cmf/attachments/20041012/0d4366c0/attachment.bin

More information about the Zope-CMF mailing list