[Zope] - Secure Server

[Jeff Bauer]

"Christopher G. Petrilli" wrote:
> Based on real-world benchmarks, SSL generally has a order of magnitude
> impact (sometimes more) on performance... the key negotiation is a huge
> CPU burdon, and must be perfomred with the start of each SSL session
> (which under HTTP/1.0 is every HTTP query)... what I've recommended to a
> lot of people doing "high performance" servers is to use SSL to gather
> UID/password, then issue a "ticket" (aka cookie) that is valid, and then
> let the cookie be passed around.  While this isn't 100%, and does allow
> for certain types of replay/mim vectors, it does provide a good bit more
> real world security than passing uids in the clear.

Interesting.  I was estimating that our hit was more like 2:1, but I'm sure

it would degrade in the absence of a multiprocessor server ;-)
Are you implementing such a policy (above) using Zope?  I'd be
very interested to hear more.

Regards,

Jeff Bauer
Rubicon, Inc.