[Zope-dev] Re: [patch] More secure cookie crumbler?
Chris Withers
chris at simplistix.co.uk
Wed Apr 21 04:40:16 EDT 2004
Shane Hathaway wrote:
> Even with unbreakable encryption of credentials after login, you still
> send the username and password in the clear at login time, and sniffers
> can reuse the session ID with ease. You really shouldn't tell the Plone
> users they will be safer with a session token, because they won't.
Well, they will.
You go from being able to sniff from ANY request, to only being able to sniff
from the login request.
Session ID re-use will only work if the legitimately logged in user doesn't use
the session they've just logged in to. If they do, both the legitimate and
illegitimate session will get bumped out.
Now, dependent on your point of view and the sensitivity of your data, that may
only be a small improvement, but it IS an improvement...
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
More information about the Zope-Dev
mailing list