[Zope] Re: SSL Redirect for CookieCrumbler
Josef Meile
jmeile at hotmail.com
Mon Jun 19 11:07:01 EDT 2006
Hi Chris,
>> I need to redirect all my http requests to the login_form of the
>> CookieCrumble to https, so, I wrote this rule in apache:
>
> Why bother? Just because the form is secure doesn't make cookie
> authentication any more secure.
Yes, you're right. That is exactly the conclusion I also figured out
after finding an interesting article in plone.org, which talks about this:
* Secure login without plain text passwords
http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
The only Problem is that the product mentioned there, SessionCrumbler,
is based on the CMF CookieCrumbler and not the Standalone version.
I guess it wouldn't be difficult to port; I even tried it by replacing
the CMF imports by the Standalone version, but it didn't work. Zope
hangt and I even didn't get a TraceBack. Anyway, I'm not going to spend
more time trying to get this working. I will perhaps try to do some
patch to the basic http authentication like CookieCrumbler does, but
instead of showing the login forms, I want to do a redirect if the
request is insecure, so, you will still get the popup window, but in https.
>
> Do you say in https once authenticated?
>
Yes, the problem, if you read my post was that with the apache
RewriteRule, I could authenticated myself in ssl, but after that the
browser took me back again to http -> See the article; it exposes
clearly the problem.
Regards
Josef
More information about the Zope
mailing list