[Zope-dev] Re: [patch] More secure cookie crumbler?
Peter Sabaini
peter at sabaini.at
Tue Apr 20 10:54:54 EDT 2004
Chris Withers wrote:
> Shane Hathaway wrote:
>
>> Hmm. I really wasn't expecting any new code yet. Session cookies are a
>> very significant maintenance burden in Zope, and it's not in my interest
>> to support them. If you don't mind, I think I'll release a version of CC
>> without any session support, then I'll give Chris Withers the maintainer
>> hat. He'll start with your latest version.
>
>
> I'll certainly take that on, if only because Cookie Crumbler is in such
> wide use.
>
> I wonder how many Plone users are aware their passwords are stored
> unencrypted in client cookies which fly back and forth waiting to be
> snapped up by packet sniffers, XSS, and JS attacks ;-)
>
> That said, basic auth ain't much better, but at least that's protectable
> by SSL...
Cookies and Basic Auth both are transmitted via HTTP headers, so both
should benefit from SSL
Another question of course is what happens afterwards; in my experience
at least IE has a tendency to even store Session cookies longer than one
might expect (ie. the lifetime of the browser instance)
I made a patch to CC to crypt auth tokens with AES, though thats not
ideal it should help a little
> Hmmm, I wonder about sticking the token in the URL as an option, as with
> the SESSION stuff...
>
> Chris
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20040420/7fa712b2/smime-0001.bin
More information about the Zope-Dev
mailing list