[Zope] Re: Cookie and Basic authentication
David A. Riggs
spam_riggs at csee.wvu.edu
Wed Jun 9 18:08:35 EDT 2004
Dieter Maurer wrote:
> David A. Riggs wrote at 2004-6-8 18:33 -0400:
>
>>...
>>
>>> zope = xmlrpclib.Server('http://user:password@zopeserver')
>>> zope.some.object.method()
>>>
>>
>>
>>Is there no more secure way to make an XML-RPC call than this? I'd
>>like to tunnel over HTTPS, but placing the password in the request
>>URL like this exposes it insecurely. What's the safest way to do
>>this?
>
>
> When you use HTTPS, then the complete request is encrypted, including
> the URL. It might be possible that the server log file includes the
> user/password info. Check whether this is the case. If not,
> this method is as secure as others.
>
Sure enough, you're right. I sniffed the network traffic with
ethereal and grepped through my Z2.log and Apache's access.log
with no sign of username or password (though the log side of
it is out of the hands of the sender, really). Thanks for
clarifying!
--
- David A. Riggs <riggs at csee dot wvu dot edu>
More information about the Zope
mailing list