[Zope] Question about Zope and security

bruno desthuilliers bruno at modulix.org
Thu Mar 30 06:02:15 EST 2006


Cyrille Bonnet wrote:
> Hi there,
> 
> I have been telling all my clients about how great Zope is for security:
> fine-grained permissions, security framework, roles, etc.
> 
> Now, one of my clients has a security expert who took a close look at
> how Zope authenticates users. The results were not good.
> 
> The main problem is that Zope stores the username and password in a
> cookie in clear text (base64 encoded).

*Zope* don't do that. It's the (infamous) CookieCrumbler products that
is responsible for this horror.

> Even though it only happens in their internal network, my client wasn't
> too happy, because it makes them vulnerable to a man-in-the-middle attack.
> 
> I know, the odds of that happening are low, but storing the username and
> password in clear text is clearly not best practice.

That's an understatement.

> So, my question is: is there a way to secure Zope authentication?

yes : use https.

-- 
bruno desthuilliers
développeur
bruno at modulix.org
http://www.modulix.com


More information about the Zope mailing list