[Zope] Re: Question about Zope and security
Cyrille Bonnet
cyrille at 3months.com
Thu Mar 30 15:54:47 EST 2006
Thanks to all for your feedback: I understand better what is going on now.
SSL is definitely the way to go, that would solve all my problems.
Now, just to push the problem a bit further: ideally, I'd like to put
SSL just on the login form. Zope would authenticate the user in that
request and return a "session ID" that would then be passed back and
forth in each request (without SSL).
That would be a balanced approach to security: I don't have to put SSL
across the entire site. The site will be vulnerable to man-in-the-middle
attacks, but only for the duration of a session.
Is it possible to do that with Zope? Or does Zope require to identify
the user on each request?
Thanks for the help.
Cyrille
bruno desthuilliers wrote:
> Cyrille Bonnet wrote:
>
>>Hi there,
>>
>>I have been telling all my clients about how great Zope is for security:
>>fine-grained permissions, security framework, roles, etc.
>>
>>Now, one of my clients has a security expert who took a close look at
>>how Zope authenticates users. The results were not good.
>>
>>The main problem is that Zope stores the username and password in a
>>cookie in clear text (base64 encoded).
>
>
> *Zope* don't do that. It's the (infamous) CookieCrumbler products that
> is responsible for this horror.
>
>
>>Even though it only happens in their internal network, my client wasn't
>>too happy, because it makes them vulnerable to a man-in-the-middle attack.
>>
>>I know, the odds of that happening are low, but storing the username and
>>password in clear text is clearly not best practice.
>
>
> That's an understatement.
>
>
>>So, my question is: is there a way to secure Zope authentication?
>
>
> yes : use https.
>
More information about the Zope
mailing list