[Zope] Re: major problems placing authentication on an extranet
site-security flaw?
michael nt milne
michael.milne at gmail.com
Sun Feb 12 11:56:25 EST 2006
Yes, I do realise that it's hard. Regarding the cookie comment that
was the reason I wanted to use Apache <location> based login. I do
realise that leaving a logon cookie is insecure and that comment was
perhaps misguided. I started to think about usability etc.
I'm going to block 8080 at the router/firewall level as Zope obviously
needs to keep serving through 8080 to Apache.
As for the issue with IE6 and editing pages over SSL it all works fine
in Firefox 1.5, so it's a browser issue which I just can't quite
fathom just now. Annoying as all the users are on IE. Unless I use
that as an excuse for them all to get a better browser..
Thanks for the comments
Michael
On 2/12/06, Chris Withers <chris at simplistix.co.uk> wrote:
> michael nt milne wrote:
> > Yes, I've got the whole site going over SSL and the :8080 port re-directing
> > to SSL.
>
> Anything not over SSL should be blocked, not redirected, given your
> earlier paranoia...
>
> > However on my main server where I have other sites I was thinking about
> > implementing SSL for the login areas to make them fully secure. From what
> > you are saying though you'd basically need to make a whole site go over SSL
> > and just implementing that on the login areas isn't worth it?
>
> Correct. Also, don't turn SSL into a panacea. Security is hard. Very
> hard. I'm not sure you understand that yet...
>
> > I still have an issue with IE6 over SSL where trying to create new pages or
> > edit content, produces a server not found and the padlock dissapears.
>
> Look at where the form action points to, I suspect you haven't correctly
> configured your virtual hosting stuff in Apache and/or Zope.
>
> cheers,
>
> Chris
>
> --
> Simplistix - Content Management, Zope & Python Consulting
> - http://www.simplistix.co.uk
>
--
Michael
More information about the Zope
mailing list