[Zope-dev] Is there a Security problem with cookie authentication?
Toby Dickenson
tdickenson@geminidataloggers.com
Tue, 23 Apr 2002 12:21:11 +0100
On Tue, 23 Apr 2002 11:52:26 +0100, Richard Barrett
<R.Barrett@ftel.co.uk> wrote:
>Unless someone can refute this scenario (please, please do) then it =
appears=20
>to me that Cache-Control headers need to be added to all responses=20
>conditional on authentication by Zope using cookie authentication.
I believe you are correct. Cache-Control:private is needed on pages
accessed under cookie authentication, and probably
Cache-Control:no-cache on the page that sets the cookie.
>Maybe Zope should just add a Cache-Control header with a value of =
private,=20
>no-cache or no-store to all responses that its security sub-system=20
>determines are to other than the Anonymous user. It would do no harm if=20
>Basic Authentication were being used and would plug the security hole I=20
>have posited if cookie authentication were in use.
Yes, but it must allow the published method to set its own headers
first.
I once had a patch that did the opposite of that: It set
Cache-Control:public on all responses that were accessed by an
authenticated user, if it determined that an unauthenticated user
could have accessed them too.
>I'd propose a patch myself but I am not that confident in hacking around=
=20
>Zope's security management code.
Put it in the Collector.
Toby Dickenson
tdickenson@geminidataloggers.com