[Zope] Implementing a login form instead of BASIC authentication
albert boulanger
aboulang@ldeo.columbia.edu
Tue, 15 Aug 2000 08:57:45 -0400 (EDT)
Stephan Goeldi wrote:
>
> Wouldn't that reduce system security?
I think he mean cookie-based authentication, as found on zope.org.
> >I am currently looking into implementing a login form to replace the
> >standard BASIC authentication.
Gérard,
Take a look at things like LoginManager and GUF which can do this sort
of thing. They are standard replacements for the acl_users folder and
will serve you a lot better than hackign around in User.py...
I am intersested in this issue as well since we are looking hard at security.
Here is my current thinking.
BASIC is not secure since the name:password is base64 encoded and not
encrypted.
DIGEST seems good in that it is encrypted and uses the
Challange/Response like BASIC for every HTTP transaction -- matched well
with the stateless nature of HTTP.
Cookie based methods seem to assume some notion of session to me which
fundamentally is a hack and is less secure than DIGEST, to wit:
1) One should encrypt the info in the cookie
2) How does one get around the stateless nature or HHTP in secure way using
cookies? In other words, unless the HTTP transaction is challenged every
time, how do you really know that someone is not trying to slip into an
existing session?
Also on the server side I need to share the login info among Zope, and
Tomcat -- has a methodolgy been developed to do so?
Regards,
Albert Boulanger
aboulanger@ldeo.columbia.edu