[Zope] Question about Zope and security
Terry Hancock
hancock at anansispaceworks.com
Wed Mar 29 22:29:29 EST 2006
Cyrille Bonnet wrote:
> The main problem is that Zope stores the username and password in a
> cookie in clear text (base64 encoded).
>
> Even though it only happens in their internal network, my client
> wasn't too happy, because it makes them vulnerable to a
> man-in-the-middle attack.
>
> I know, the odds of that happening are low, but storing the username
> and password in clear text is clearly not best practice.
>
> So, my question is: is there a way to secure Zope authentication?
>
Stock Zope doesn't use cookie authentication, so you're actually talking
about
an alternate user folder product (which you don't specify and I don't
know that
many of them, so I can't really comment much -- except that SimpleUserFolder
with CookieCrumbler will indeed put you in this situation (or did the
last time
I checked)).
The fact that Zope stores passwords as plain text is not the issue if
you're worried
about man-in-the-middle attacks, though. The problem there is that you
are passing
passwords plain text in the request, and there is almost no way around
that unless you run an SSL (HTTPS) server. Which you should if you want
real security.
Encrypting your password database without moving your server login to HTTPS
is only going to create inconvenience without improved security (you can no
longer send password reminders, for example) -- it's a false sense of
security.
So, IMHO, secure the server, then worry about password databases.
Cheers,
Terry
More information about the Zope
mailing list