[Zope] Implementing a login form instead of BASIC authentication

Chris Withers chrisw@nipltd.com
Tue, 15 Aug 2000 14:13:22 +0100


albert boulanger wrote:
> DIGEST seems good in that it is encrypted and uses the
> Challange/Response like BASIC for every HTTP transaction -- matched well
> with the stateless nature of HTTP.

AFAIK, no browsers (maybe Mozilla, but that has the stability of a house
of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either
:(

>  1) One should encrypt the info in the cookie

Definitely

>  2) How does one get around the stateless nature or HHTP in secure way using
>     cookies? In other words, unless the HTTP transaction is challenged every
>     time, how do you really know that someone is not trying to slip into an
>     existing session?

Hehe, welcome to one of the biggest challenges on the web...

...that, and getting your CSS to eb compatible with all the major
browsers ;-)

cheers,

Chris