[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Using Basic Zope Objects

webmaster@zope.org webmaster@zope.org
Tue, 24 Sep 2002 09:11:50 -0400


A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/BasicObject.stx#2-88

---------------

    It is important to realize that keeping sensitive data in a
    session data object is potentially insecure unless the connection
    between browsers and Zope is encrypted in some way.  Don't store
    sensitive information such as phone numbers, addresses, account
    numbers, credit card numbers or any other personal information
    about your site visitors unless you've secured the connection
    between Zope and site visitors via SSL.

      % Anonymous User - Sep. 24, 2002 8:49 am:
       So the actual session data is stored on the client side (in a cookie or form variables)? Wouldn't it be
       better (more secure and less traffic) if the session data was instead stored on the server, where the client
       kept/transmitted only the session id?

      % Anonymous User - Sep. 24, 2002 9:11 am:
       No. The session data is stored on the server. It is referred to only by a cookie on the client. The security
       risk revolves around the fact that if an interceptor gets the cookie value, they have access to the data on
       the server.