[Zope-dev] Re: [patch] More secure cookie crumbler?
Shane Hathaway
shane at zope.com
Tue Apr 20 10:54:35 EDT 2004
On Tue, 20 Apr 2004, Peter Sabaini wrote:
> Shane Hathaway wrote:
> > Even with unbreakable encryption of credentials after login, you still
> > send the username and password in the clear at login time, and sniffers
> > can reuse the session ID with ease. You really shouldn't tell the Plone
> > users they will be safer with a session token, because they won't.
>
> Why not make the login page itself SSL-protected then?
If you're going to go to the trouble of setting up SSL, why not encrypt
the whole session? Let anonymous users come in via HTTP, then go all-SSL
for logged in users. Sourceforge is a great example of this.
Shane
More information about the Zope-Dev
mailing list