[Plone-users] Re: [Zope-CMF] CookieCrumbler security issue?
Chris Withers
chris at simplistix.co.uk
Fri Jan 23 04:33:57 EST 2004
Seb Potter wrote:
> This is a universal problem of using cookies as a method of providing
> persistent authentication.
Indeed, although HTTP Basic Authentication is even worse!
> Cookies are a non-ideal solution that really
> should only be used in conjunction with an SSL-secured connection if
> you're worried about transmission security.
Yup, but see my question to Lennart, I'm particularly concerned about when you
have an HTTPS and an HTTP site at the same domain...
> The point being: if you're using cookies for authentication and you're
> transmitting in cleartext, then your connection is open to a
> packet-sniffing attack, regardless of how you obfuscate your
> authentication token.
True... I guess that is also true for HTTP Basic auth?
> Of course, using cookies will always expose you to the worst security
> nightmare: compromise of the remote terminal. (Fortunately, without
> being able to control the end-user, there's not a great deal you can do
> about this in a web environment.)
Well, again, how does this differ with HTTP Basic Auth?
> Whilst I agree that this is a fair compromise in most cases, it
> certainly is not the right route if you're paranoid about security.
What would be?
cheers,
Chris
More information about the Zope-CMF
mailing list