[Zope] Re: major problems placing authentication on an extranet site-security flaw?

michael nt milne michael.milne at gmail.com
Tue Feb 14 06:30:34 EST 2006


> Yes, I do realise that it's hard. Regarding the cookie comment that
> was the reason I wanted to use Apache <location> based login.

>>Huh? I'm sure some people would love to know how those two things relate
in your head...

>>>I wanted to use an Apache served login box before the Zope/Plone site is
served but I've decided against that now as authentication should be closely
linked to the application. Also Apache <location> based authentication isn't
cookie based. Now going with Zope/Plone auth over SSL alone with cookies set
to expire.

> I do
> realise that leaving a logon cookie is insecure and that comment was
> perhaps misguided. I started to think about usability etc.

>>If you're lucky, you might get a system that's both insecure _and_
unusable ;-)

>>>My aim is security with a good level of usability and I'll achieve that
:-)

> I'm going to block 8080 at the router/firewall level as Zope obviously
> needs to keep serving through 8080 to Apache.
>>using iptables in the box is probably a better idea...

>>>thanks for the advice but I'll probably go with router level

> As for the issue with IE6 and editing pages over SSL it all works fine
> in Firefox 1.5, so it's a browser issue which I just can't quite
> fathom just now.

>>I doubt it, my guess would still be that you're doing something wrong
somewhere...

>>>Sorry but I don't agree on this one. I haven't altered any of the Plone
'edit page' functionality. It's out of the box. Works fine without SSL but
on SSL trying to edit a page causes 'can't find server'. Firefox though
works perfectly viewing and editing so it's a browser issue. I know of other
people who have issues with IE and posting images over SSL. Must be
something to do with POST security over IE. I'm going to take it up with
them but don't expect too much of a response. I'm now about to try with
Opera.


On 2/14/06, Igor Stroh <igor at rulim.de> wrote:
>
> michael nt milne wrote:
> > Yes, I do realise that it's hard. Regarding the cookie comment that
> > was the reason I wanted to use Apache <location> based login. I do
> > realise that leaving a logon cookie is insecure and that comment was
> > perhaps misguided. I started to think about usability etc.
> >
> > I'm going to block 8080 at the router/firewall level as Zope obviously
> > needs to keep serving through 8080 to Apache.
>
> No need to do that, just configure your zope (etc/zope.conf) to
> listen only on your loopback interface:
>
> <http-server>
> address 127.0.0.1:8080
> </http-server>
>
> An btw, Zope doesn't *need* to serve on 8080...
>
> HTH,
> Igor
> _______________________________________________
> Zope maillist  -  Zope at zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>



--
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.zope.org/pipermail/zope/attachments/20060214/f3e24fb7/attachment.htm


More information about the Zope mailing list