[Zope] Re: FSSession

Pavlos Christoforou pavlos@gaaros.com
Wed, 9 Feb 2000 10:20:29 -0500 (EST)


On Tue, 8 Feb 2000, Hung Jung Lu wrote:

> One more question: what about security?
> 
> At this moment the SessionUID cookie is unencrypted
> and this is not very safe... or is this cookie tied
> up to Zope session? It is possible for someone else
> to tap into another person's session?

It is possible if you could guess some other person's SessionUID which is
essentially a long random number (0-100000000). In any case the SessionUID
goes over the network unencrypted as are all Zope related security info.
In effect you are limited by the HTTP protocol.
> 
> Do you have any recommendation for enhancing security?

If your users will be login in through HTTPS then I can device a scheme to
make it more secure but as long as you use HTTP or your users do not login
at all you are very limited. This I believe would be a problem for any
Session management scheme. If anyone knows otherwise please let me know.

If you worry about the SessionUID length then we can make it longer, much
longer if you desire, but even now, chances of guessing someones
SessionUID should be -approximately- (number of exisitng
sessions)/100,000,000 per trial.

Pavlos