[Zope] Re: FSSession
Phil Harris
phil.harris@zope.co.uk
Wed, 9 Feb 2000 16:10:36 -0000
Pavlos,
Have you seen http://mars.post1.com/home/ngps/m2/
It's a https patch for Zope.
Seems interesting
Phil
Phil.harris@zope.co.uk
| -----Original Message-----
| From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of
| Pavlos Christoforou
| Sent: Wednesday, February 09, 2000 3:20 PM
| To: Hung Jung Lu
| Cc: pavlos@gaaros.com; zope@zope.org
| Subject: [Zope] Re: FSSession
|
|
| On Tue, 8 Feb 2000, Hung Jung Lu wrote:
|
| > One more question: what about security?
| >
| > At this moment the SessionUID cookie is unencrypted
| > and this is not very safe... or is this cookie tied
| > up to Zope session? It is possible for someone else
| > to tap into another person's session?
|
| It is possible if you could guess some other person's SessionUID which is
| essentially a long random number (0-100000000). In any case the
| SessionUID
| goes over the network unencrypted as are all Zope related security info.
| In effect you are limited by the HTTP protocol.
| >
| > Do you have any recommendation for enhancing security?
|
| If your users will be login in through HTTPS then I can device a
| scheme to
| make it more secure but as long as you use HTTP or your users do
| not login
| at all you are very limited. This I believe would be a problem for any
| Session management scheme. If anyone knows otherwise please let me know.
|
| If you worry about the SessionUID length then we can make it longer, much
| longer if you desire, but even now, chances of guessing someones
| SessionUID should be -approximately- (number of exisitng
| sessions)/100,000,000 per trial.
|
| Pavlos
|
|
| _______________________________________________
| Zope maillist - Zope@zope.org
| http://lists.zope.org/mailman/listinfo/zope
| ** No cross posts or HTML encoding! **
| (Related lists -
| http://lists.zope.org/mailman/listinfo/zope-announce
| http://lists.zope.org/mailman/listinfo/zope-dev )
|