[Zope] I got it!

J C Lawrence claw@kanga.nu
Tue, 29 Feb 2000 12:40:03 -0800


On Tue, 29 Feb 2000 13:39:36 -0500 (EST) 
glyph  <glyph@twistedmatrix.com> wrote:

> However, this new rush of excitement was tempered by the
> realization that I probably couldn't use it for the distributed
> authoring purposes that I had hoped I could.  Security is a HUGE
> concern for me: students from college campuses log in to my
> server, and many of them are on networks where sniffers are
> running.  

About the best you are going to do is to us SSL.  You can of course
just put everything under SSL, but given the overhead of SSL that
may not be wise (see the archives for some stats on the area).  I'm
still looking for a way to do:

  -- Initial authentication occurs under SSL and generates a short
     lived session key (hour or two)

  -- Normal page loads are in the clear and use the session key.

  -- Significant user actions require re-authentication under SSL
     (eg PW changes).

-- 
J C Lawrence                                 Home: claw@kanga.nu
----------(*)                              Other: coder@kanga.nu
--=| A man is as sane as he is dangerous to his environment |=--