[Zope] - Secure Server
Scott Robertson
sroberts@codeit.com
Tue, 26 Jan 1999 17:15:01 -0800 (PST)
On Mon, 25 Jan 1999, Christopher G. Petrilli wrote:
>
> Based on real-world benchmarks, SSL generally has a order of magnitude
> impact (sometimes more) on performance... the key negotiation is a huge
> CPU burdon, and must be perfomred with the start of each SSL session
> (which under HTTP/1.0 is every HTTP query)... what I've recommended to a
> lot of people doing "high performance" servers is to use SSL to gather
> UID/password, then issue a "ticket" (aka cookie) that is valid, and then
> let the cookie be passed around. While this isn't 100%, and does allow
> for certain types of replay/mim vectors, it does provide a good bit more
> real world security than passing uids in the clear.
>
Sounds good, do you think it would be worth it to hash the ip address
into the ticket so that you can almsot gauranty that the owner of the
cookie is the same person the cookie was issued to?
---------------------------------------------------
- Scott Robertson Phone: 714.972.2299 -
- CodeIt Computing Fax: 714.972.2399 -
- http://codeit.com -
---------------------------------------------------