[Zope] Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Sun Feb 12 08:39:20 EST 2006


Thanks

"It's worth bearing in mind that those credentials are passed over the
wire with every page, so you need your sessions to /stay/ in SSL mode
once authenticated."

Yes, I've got the whole site going over SSL and the :8080 port re-directing
to SSL.

However on my main server where I have other sites I was thinking about
implementing SSL for the login areas to make them fully secure. From what
you are saying though you'd basically need to make a whole site go over SSL
and just implementing that on the login areas isn't worth it?

I still have an issue with IE6 over SSL where trying to create new pages or
edit content, produces a server not found and the padlock dissapears. I have
TLS 1.0 and SSL 2.3, 3.0 selected in advanced. IE 6.02. Firefox
1.5(predictably..) works fine but I don't want to have to get all my
users to
install it even though I'd like to :-)


On 2/11/06, Philip Kilner <phil at xfr.co.uk> wrote:
>
> Hi Michael,
>
> michael nt milne wrote:
> > I've implemented what's outlined in the make private site
> > documentation and it works fine on Plone 2.1.1. No content is available
> > apart from the site-map page (doesn't list content) and the contact form
> > but I can figure that out separately.
> >
>
> Since neither of those counts as "content" as such, I think that that is
> legitimate and as you say, you can work around those if it matters to
> you (In cases where I've wanted to work around such things, I've simply
> called a script that redirects with an error message if the the
> appropriate conditions aren't met.
>
> > Yes I think I like the HTML login page way to authenticate. It feels
> > more usable. And I don't think I'll use an Apache login box at all. Most
> > users will find it hard remembering one password and with cookie
> > authentication over SSL you can go straight into the site. Brilliant.
> >
>
> Agreed. Apache does a great job of managing the SSL, securing the data
> over public wires, but that's a 100% generic task whereas the
> authentication is tightly bound to your application.
>
> It's worth bearing in mind that those credentials are passed over the
> wire with every page, so you need your sessions to /stay/ in SSL mode
> once authenticated.
>
> > I'm revisting some of the points made in this thread though about
> > security. It does seem that Zope and Plone as you say, are at odds on
> this.
> >
>
> Because Zope is an application server, it has to expose it's mechanism -
> Plone has an easier job because it has a specific task to do (e.g.
> manage content), and so can take an approach which is much simpler to
> fly. In Plone, always do things the Plone way - working at the Zope
> level may potentially subvert Plone's mechanisms for achieving things.
>
>
> --
>
> Regards,
>
> PhilK
>
> Email: phil at xfr.co.uk
> PGP Public key: http://www.xfr.co.uk
> Voicemail & Facsimile: 07092 070518
>
> "You'll find that one part's sweet and one part's tart:
> say where the sweetness and the sourness start."
> - Tony Harrison
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060212/7869c7a7/attachment.htm


More information about the Zope mailing list