[Zope] UserDb extensions

Ross J. Reedstrom reedstrm@rice.edu
Fri, 21 May 1999 09:44:55 -0500


Oleg Machulski wrote:
<snipped Oleg pointing out security problems with cookie authentication>

I agree Oleg, that cookies aren't really any better than plain old basic
authentication on the client<->server side. However, I see I failed to
mention in that note what my set up is - I figured since I'd been
spamming the list with my problems, everyone knew about them ;-) I'm
running Zope under Apache-SSL, so the front side communications are all
encrypted. The leak out the backend to the Db was my only exposure.

Of course, fixing how Zope sets cookies and deals with passwords doesn't
do much good if the client still sends a cleartext password at first
login - there needs to be some client side support for some form of
encryption on the password before it get's sent to the server for the
very first time. Unfortunately,  nothing beyond Basic Auth. seems to be
standard, except full blown SSL, encrypting thre entire traffic stream
(and it does slow things down). I suppose a Java applet would work, or
perhaps even some really clever javascript? Eventually, this turns into
a Diffie-Hellman key exchange sort of thing, doesn't it? 

Ross
-- 
Ross J. Reedstrom, Ph.D., <reedstrm@rice.edu> 
NSBRI Research Scientist/Programmer
Computer and Information Technology Institute
Rice University, 6100 S. Main St.,  Houston, TX 77005