[Zope-dev] Re: [patch] More secure cookie crumbler?
Peter Sabaini
peter at sabaini.at
Tue Apr 20 11:15:02 EDT 2004
Shane Hathaway wrote:
> On Tue, 20 Apr 2004, Peter Sabaini wrote:
>
>
>>Shane Hathaway wrote:
>>
>>>Even with unbreakable encryption of credentials after login, you still
>>>send the username and password in the clear at login time, and sniffers
>>>can reuse the session ID with ease. You really shouldn't tell the Plone
>>>users they will be safer with a session token, because they won't.
>>
>>Why not make the login page itself SSL-protected then?
>
>
> If you're going to go to the trouble of setting up SSL, why not encrypt
> the whole session? Let anonymous users come in via HTTP, then go all-SSL
> for logged in users. Sourceforge is a great example of this.
Yes, thats what I was talking about. In our Zope apps this is standard
procedure -- we have one non-SSL welcome page at the most, everything
else goes through HTTPS, makes sense IMHO for data acquisition
applications with at least moderately sensitive data
peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20040420/4e565cae/smime.bin
More information about the Zope-Dev
mailing list