[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Using Basic Zope Objects

webmaster@zope.org webmaster@zope.org
Tue, 24 Sep 2002 09:37:49 -0400

A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/BasicObject.stx#2-88


    It is important to realize that keeping sensitive data in a
    session data object is potentially insecure unless the connection
    between browsers and Zope is encrypted in some way.  Don't store
    sensitive information such as phone numbers, addresses, account
    numbers, credit card numbers or any other personal information
    about your site visitors unless you've secured the connection
    between Zope and site visitors via SSL.

      % Anonymous User - Sep. 24, 2002 8:49 am:
       So the actual session data is stored on the client side (in a cookie or form variables)? Wouldn't it be
       better (more secure and less traffic) if the session data was instead stored on the server, where the client
       kept/transmitted only the session id?

      % Anonymous User - Sep. 24, 2002 9:11 am:
       No. The session data is stored on the server. It is referred to only by a cookie on the client. The security
       risk revolves around the fact that if an interceptor gets the cookie value, they have access to the data on
       the server.

      % Anonymous User - Sep. 24, 2002 9:23 am:
       Well then it doesn't seem that the interceptor would necessarily have *access* to the data (in the sense that
       he could see, for example, the credit card number). But he could pose as the user, which would allow him to
       *use* the credit card number.

      % Anonymous User - Sep. 24, 2002 9:37 am:
       Yes, the user could use the credit card number. He might not be able to see the credit card number if you're
       absolutely sure that the user can never see a representation of the session data. But if the interceptor
       found another hole in the system, he might be able to see the credit card number.