[Zope] Re: Question about Zope and security

[Cyrille Bonnet]

Thanks to all for your feedback: I understand better what is going on now.

SSL is definitely the way to go, that would solve all my problems.

Now, just to push the problem a bit further: ideally, I'd like to put 
SSL just on the login form. Zope would authenticate the user in that 
request and return a "session ID" that would then be passed back and 
forth in each request (without SSL).

That would be a balanced approach to security: I don't have to put SSL 
across the entire site. The site will be vulnerable to man-in-the-middle 
attacks, but only for the duration of a session.

Is it possible to do that with Zope? Or does Zope require to identify 
the user on each request?

Thanks for the help.

Cyrille

bruno desthuilliers wrote:
> Cyrille Bonnet wrote:
> 
>>Hi there,
>>
>>I have been telling all my clients about how great Zope is for security:
>>fine-grained permissions, security framework, roles, etc.
>>
>>Now, one of my clients has a security expert who took a close look at
>>how Zope authenticates users. The results were not good.
>>
>>The main problem is that Zope stores the username and password in a
>>cookie in clear text (base64 encoded).
> 
> 
> *Zope* don't do that. It's the (infamous) CookieCrumbler products that
> is responsible for this horror.
> 
> 
>>Even though it only happens in their internal network, my client wasn't
>>too happy, because it makes them vulnerable to a man-in-the-middle attack.
>>
>>I know, the odds of that happening are low, but storing the username and
>>password in clear text is clearly not best practice.
> 
> 
> That's an understatement.
> 
> 
>>So, my question is: is there a way to secure Zope authentication?
> 
> 
> yes : use https.
>