[Zope-CMF] Re: [Plone-developers] PLIP - Ship SessionCrumbler instead of CookieCrumbler

Simon Eisenmann simon at struktur.de
Tue Oct 12 10:43:46 EDT 2004


On Tue, 2004-10-12 at 16:15 +0200, Jean-Marc Orliaguet wrote:

> All you need to do is to set a _ZopeID cookie that you have stolen, login
> (you are already logged in), and use the 'mail password' script to send
> the password.

Ok right thats a problem. But i think i can wrap the password in the
session inside a special object which itself does some additional
verification that this request really may access this session. Such
additional checks could check the source IP address of the client for
instance. Doing stuff like this would mean that the user needs to fake a
HTTP request which is a bit more complex than just using the mail
password script. How do you feel about this?


Cheers,
 Simon

-- 
Simon Eisenmann

[ mailto:simon at struktur.de ]

[ struktur AG | Friedrichstr. 14 | 70174 Stuttgart ]
[ T. +49.711.896656.68 | F.+49.711.89665610 ]
[ http://www.struktur.de | mailto:info at struktur.de ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.zope.org/pipermail/zope-cmf/attachments/20041012/19ef1e66/attachment.bin


More information about the Zope-CMF mailing list