[Zope-dev] Re: [patch] More secure cookie crumbler?

Peter Sabaini peter at sabaini.at
Tue Apr 20 11:15:02 EDT 2004


Shane Hathaway wrote:
> On Tue, 20 Apr 2004, Peter Sabaini wrote:
> 
> 
>>Shane Hathaway wrote:
>>
>>>Even with unbreakable encryption of credentials after login, you still
>>>send the username and password in the clear at login time, and sniffers
>>>can reuse the session ID with ease.  You really shouldn't tell the Plone
>>>users they will be safer with a session token, because they won't.
>>
>>Why not make the login page itself SSL-protected then?
> 
> 
> If you're going to go to the trouble of setting up SSL, why not encrypt
> the whole session?  Let anonymous users come in via HTTP, then go all-SSL
> for logged in users.  Sourceforge is a great example of this.

Yes, thats what I was talking about. In our Zope apps this is standard 
procedure -- we have one non-SSL welcome page at the most, everything 
else goes through HTTPS, makes sense IMHO for data acquisition 
applications with at least moderately sensitive data

peter.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3216 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.zope.org/pipermail/zope-dev/attachments/20040420/4e565cae/smime.bin


More information about the Zope-Dev mailing list