[Zope-dev] Re: [patch] More secure cookie crumbler?
Peter Sabaini
peter at sabaini.at
Tue Apr 20 10:46:51 EDT 2004
Shane Hathaway wrote:
> On Tue, 20 Apr 2004, Chris Withers wrote:
>
>
>>I wonder how many Plone users are aware their passwords are stored
>>unencrypted in client cookies which fly back and forth waiting to be
>>snapped up by packet sniffers, XSS, and JS attacks ;-)
>
>
> Even with unbreakable encryption of credentials after login, you still
> send the username and password in the clear at login time, and sniffers
> can reuse the session ID with ease. You really shouldn't tell the Plone
> users they will be safer with a session token, because they won't.
>
> Shane
Why not make the login page itself SSL-protected then?
peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20040420/cdd72acd/smime.bin
More information about the Zope-Dev
mailing list