[Zope] - Secure Server

Jeff Bauer jbauer@rubic.com
Mon, 25 Jan 1999 11:35:00 -0600


Brad Clements wrote:

> On 25 Jan 99, at 9:51, Kevin Dangoor wrote:
>
> > server. The current implementations of HTTP do not allow for long-lived
> > connections, so the browser sends the user name and password with each
> > request. (The browser makes it so that the user only needs to enter it
> > once, though.)
>
> I don't think this is entirely true. http does allow the client and server to
> agree to keep the connection open. You can see this happening
> between iexploder and iis...

Kevin's point is correct, despite how one particular browser and one
particular server might maintain a persistent state.  Robert is best
advised to conduct his entire session via secure socket layer if
the information is sensitive.  Moreover, I think Robert's concern
was the possible performance hit by using SSL rather than a
regular socket connection.  This hardly adds enough overhead
to warrant dropping into an insecure session.

Jeff Bauer
Rubicon, Inc.