[Zope-dev] Re: [patch] More secure cookie crumbler?

Peter Sabaini peter at sabaini.at
Tue Apr 20 10:46:51 EDT 2004


Shane Hathaway wrote:
> On Tue, 20 Apr 2004, Chris Withers wrote:
> 
> 
>>I wonder how many Plone users are aware their passwords are stored
>>unencrypted in client cookies which fly back and forth waiting to be
>>snapped up by packet sniffers, XSS, and JS attacks ;-)
> 
> 
> Even with unbreakable encryption of credentials after login, you still
> send the username and password in the clear at login time, and sniffers
> can reuse the session ID with ease.  You really shouldn't tell the Plone
> users they will be safer with a session token, because they won't.
> 
> Shane

Why not make the login page itself SSL-protected then?

peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20040420/cdd72acd/smime.bin


More information about the Zope-Dev mailing list