[Zope] Question about Zope and security

Terry Hancock hancock at anansispaceworks.com
Wed Mar 29 22:29:29 EST 2006


Cyrille Bonnet wrote:

> The main problem is that Zope stores the username and password in a 
> cookie in clear text (base64 encoded).
>
> Even though it only happens in their internal network, my client 
> wasn't too happy, because it makes them vulnerable to a 
> man-in-the-middle attack.
>
> I know, the odds of that happening are low, but storing the username 
> and password in clear text is clearly not best practice.
>
> So, my question is: is there a way to secure Zope authentication?
>
Stock Zope doesn't use cookie authentication, so you're actually talking 
about
an alternate user folder product (which you don't specify and I don't 
know that
many of them, so I can't really comment much -- except that SimpleUserFolder
with CookieCrumbler will indeed put you in this situation (or did the 
last time
I checked)).

The fact that Zope stores passwords as plain text is not the issue if 
you're worried
about man-in-the-middle attacks, though. The problem there is that you 
are passing
passwords plain text in the request, and there is almost no way around 
that unless you run an SSL (HTTPS) server.  Which you should if you want 
real security.

Encrypting your password database without moving your server login to HTTPS
is only going to create inconvenience without improved security (you can no
longer send password reminders, for example) -- it's a false sense of 
security.

So, IMHO, secure the server, then worry about password databases.

Cheers,
Terry



More information about the Zope mailing list