[Zope] Implementing a login form instead of BASIC authentication

Phil Harris phil.harris@zope.co.uk
Tue, 15 Aug 2000 14:34:21 +0100


All,

PHPlib (http://phplib.netuse.de)  has a piece of javascript that creates MD5
hashes from the entries in a form:

so you would never have to pass passwords in clear text, as long as the hash
agrees with the one created server side, login is successful.

the PHPlib docs describe it better than me, but it works great.

hth

Phil
phil.harris@zope.co.uk

----- Original Message -----
From: "Chris Withers" <chrisw@nipltd.com>
To: "albert boulanger" <aboulang@ldeo.columbia.edu>
Cc: <zope@zope.org>; <wei@ldeo.columbia.edu>; <bentz@bentz-engineering.com>
Sent: Tuesday, August 15, 2000 2:13 PM
Subject: Re: [Zope] Implementing a login form instead of BASIC
authentication


> albert boulanger wrote:
> > DIGEST seems good in that it is encrypted and uses the
> > Challange/Response like BASIC for every HTTP transaction -- matched well
> > with the stateless nature of HTTP.
>
> AFAIK, no browsers (maybe Mozilla, but that has the stability of a house
> of cards ;-) support Digest adn I'm pretty sure that Zope doesn't either
> :(
>
> >  1) One should encrypt the info in the cookie
>
> Definitely
>
> >  2) How does one get around the stateless nature or HHTP in secure way
using
> >     cookies? In other words, unless the HTTP transaction is challenged
every
> >     time, how do you really know that someone is not trying to slip into
an
> >     existing session?
>
> Hehe, welcome to one of the biggest challenges on the web...
>
> ...that, and getting your CSS to eb compatible with all the major
> browsers ;-)
>
> cheers,
>
> Chris
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )