[Zope] Question about Zope and security
Lennart Regebro
regebro at gmail.com
Thu Mar 30 01:58:20 EST 2006
On 3/30/06, Cyrille Bonnet <cyrille at 3months.com> wrote:
> The main problem is that Zope stores the username and password in a
> cookie in clear text (base64 encoded).
As mentioned before, Zope doesn't, but CookieCrumbler (and hence Plone) does.
And, the security expert is not much of a security expert at all, if
he doesn't know this:
You will only get real web security with SSL.
> Even though it only happens in their internal network, my client wasn't
> too happy, because it makes them vulnerable to a man-in-the-middle attack.
All plain http is vulnerable to that, which is why If you care about
security, you need to use https.
> So, my question is: is there a way to secure Zope authentication?
Yup. See above. :)
> Also, if it is good, why is not part of default Zope??
Good question. :-)
However, today you want to use PAS. The new fancy modular user folder
for Zope. I don't know if it works with Plone yet, though.
--
Lennart Regebro, Nuxeo http://www.nuxeo.com/
CPS Content Management http://www.cps-project.org/
More information about the Zope
mailing list