[Zope] Auto-Login from MS Domain

sean.upton@uniontrib.com sean.upton@uniontrib.com
Fri, 08 Mar 2002 09:29:16 -0800


No, its not an ActiveX component; it is a feature (or MS-specific
hack-over-headers) that has been built-into IE for a while, and used
primarily for intranet sites built using IIS.  The server has to explicitly
tell the browser that it will accept NTLM authentication sent via HTTP
headers.   See my previous message for more details.

I agree, this is a security risk, and somewhat pointless when you consider
that browsers have 'save-a-password' features for Basic Auth anyway...Then
again, perhaps that is as much as a security risk.  If you are really
paranoid, you will implement cookie-based auth (not basic or NTLM) with
server-based timeout/expirations of credentials associated with a session
cookie, since not everyone locks their workstation when they leave their
desk...

Sean

-----Original Message-----
From: Joel Burton [mailto:joel@joelburton.com]
Sent: Friday, March 08, 2002 8:58 AM
To: Andy McKay
Cc: zope@zope.org
Subject: Re: [Zope] Auto-Login from MS Domain


On Fri, 8 Mar 2002, Andy McKay wrote:

> Doesn't XUF have some way of auth'ing from a Windows domain? I don't know
if
> you can auto login to a site by magically requesting the network login,
> sounds like it would be bit of a security risk...

No doubt there's some ActiveX component which runs only on IE v >=6.0004
that will do this, and, yes, no doubt it's a security risk. ;-)

-- 

Joel BURTON  |  joel@joelburton.com  |  joelburton.com  |  aim: wjoelburton
Independent Knowledge Management Consultant


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )