[Zope] security

Michel Pelletier michel@digicool.com
Fri, 17 Mar 2000 13:02:23 -0800


sam wrote:
> 
> Besides the AUTHORIZED_USER field in the http header

AUTHENTICATED_USER is an object created after a client authenticates, it
is not an http header nor is it derived from the Authentication header. 
The Authentication header contains a user id and base64 encoded password
that is used to authenticate the client.

> what else does zope use to identify
> an http packet from a browser ?. 

I assume by 'packet' you mean request.  HTTP is stream based.

> I am just wondering can I not masquerade as a user by setting
> the http header using httplib or some such utility ?.

No.  You can authenticate yourself with such a client, but you must
still have a valid password.  You cannot just insert any old user id
into the Authentication header and expect Zope to believe you.  That
wouldn't exactly be very good security.

-Michel