[Zope] UserDb extensions

Oleg Machulski oleg_machulski@geocities.com
Mon, 24 May 1999 12:55:09 +0300


"Ross J. Reedstrom" wrote:
> 
> Oleg Machulski wrote:
> <snipped Oleg pointing out security problems with cookie authentication>
> 
> I agree Oleg, that cookies aren't really any better than plain old basic
> authentication on the client<->server side. However, I see I failed to
> mention in that note what my set up is - I figured since I'd been
> spamming the list with my problems, everyone knew about them ;-) I'm
> running Zope under Apache-SSL, so the front side communications are all
> encrypted.
But COOKIES are stored on the client-side in a plaintext file. hehe. :-)

besides, adding expiration feature to authentication system rules.

>  The leak out the backend to the Db was my only exposure.
> 
> Of course, fixing how Zope sets cookies and deals with passwords doesn't
> do much good if the client still sends a cleartext password at first
> login - there needs to be some client side support for some form of
> encryption on the password before it get's sent to the server for the
> very first time. 
I beleive :-) that if we use SSL, it doesn't matter.

if https:// server could generate cookie for http://, then 
we could authenticate user on ssl host, generate complicated 
cookie, and then switch to non_SSL connection, but as far is I know, 
such tricks require special settings to be done in the browser setup, 
and these settings may lower security of the client.

> Unfortunately,  nothing beyond Basic Auth. seems to be
> standard, except full blown SSL, encrypting thre entire traffic stream
> (and it does slow things down). I suppose a Java applet would work, or
> perhaps even some really clever javascript? Eventually, this turns into
> a Diffie-Hellman key exchange sort of thing, doesn't it?
Maybe, but using JavaScript seems to be insecure. Of course it does not 
affect server security, but lot of people prefere to have their
JavaScript 
OFF.

So seems that the only possible solution is to maintain fully encrypted 
connections.

-- 
Best regards

        Oleg Machulski
----------------------------------------------------
http://www.geocities.com/SiliconValley/Network/7671/
mailto:oleg_machulski@geocities.com