[Zope-dev] [patch] More secure cookie crumbler?

Jamie Heilman jamie at audible.transient.net
Mon Apr 12 08:42:37 EDT 2004


Chris Withers wrote:
> PS: To make cookie auth properly secure, you really need to be working over 
> SSL only, and in addition, you should tweak CookieCrumbler further so that 
> it sets the secure session bit, meaning your sessions should only get 
> returned over a secure connection... mindyou, to get basic auth to be even 
> vaguely secure, you also need to be working over SSL ;-)

The problem of using cookies for auth creds is a little more complex
than that.  The reality is, in a well written application, cookies
should never be used to store auth creds, even if you only send them
over SSL.  The reason is that client side scripting languanges are
usually permitted access to cookie structures whereas they are
explicitly forbidden access to auth cred structures.  This is one of
the main things that makes cross-site scripting attacks dangerous.
...and given that Zope is already highly susceptible to cross-site
scripting attacks...  Of course you can limit the potential for
serious damage with aggressive expiration, source address
restrictions, etc. but few people will go through the trouble, and I'd
wager most people using the various cookie-based auth folder products
don't even know the risks.

-- 
Jamie Heilman                     http://audible.transient.net/~jamie/
"I was in love once -- a Sinclair ZX-81.  People said, "No, Holly,
 she's not for you." She was cheap, she was stupid and she wouldn't
 load -- well, not for me, anyway."                     -Holly



More information about the Zope-Dev mailing list