[Zope] Question about Zope and security

Andrew Milton akm at theinternet.com.au
Thu Mar 30 06:06:53 EST 2006


+-------[ bruno desthuilliers ]----------------------
| Cyrille Bonnet wrote:
| > Hi there,
| > 
| > I have been telling all my clients about how great Zope is for security:
| > fine-grained permissions, security framework, roles, etc.
| > 
| > Now, one of my clients has a security expert who took a close look at
| > how Zope authenticates users. The results were not good.
| > 
| > The main problem is that Zope stores the username and password in a
| > cookie in clear text (base64 encoded).
| 
| *Zope* don't do that. It's the (infamous) CookieCrumbler products that
| is responsible for this horror.

Lots of UserFolders do this by default for compatibility reasons.
CookieCrumbler is just following a long tradition.

It's EXACTLY the same as what you get with Basic Auth.

exUserFolder has a mode uses a random hash for cookies (I'm sure other
UserFolders have this option as well). But as others have said, if 
you're posting to a form and not using https, what's the point.

-- 
Andrew Milton
akm at theinternet.com.au


More information about the Zope mailing list