[Zope] - Secure Server
Jeff Bauer
jbauer@rubic.com
Mon, 25 Jan 1999 11:35:00 -0600
Brad Clements wrote:
> On 25 Jan 99, at 9:51, Kevin Dangoor wrote:
>
> > server. The current implementations of HTTP do not allow for long-lived
> > connections, so the browser sends the user name and password with each
> > request. (The browser makes it so that the user only needs to enter it
> > once, though.)
>
> I don't think this is entirely true. http does allow the client and server to
> agree to keep the connection open. You can see this happening
> between iexploder and iis...
Kevin's point is correct, despite how one particular browser and one
particular server might maintain a persistent state. Robert is best
advised to conduct his entire session via secure socket layer if
the information is sensitive. Moreover, I think Robert's concern
was the possible performance hit by using SSL rather than a
regular socket connection. This hardly adds enough overhead
to warrant dropping into an insecure session.
Jeff Bauer
Rubicon, Inc.