[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Chris Withers chris at simplistix.co.uk
Sun Feb 12 09:29:17 EST 2006

michael nt milne wrote:
> Yes, I've got the whole site going over SSL and the :8080 port re-directing
> to SSL.

Anything not over SSL should be blocked, not redirected, given your 
earlier paranoia...

> However on my main server where I have other sites I was thinking about
> implementing SSL for the login areas to make them fully secure. From what
> you are saying though you'd basically need to make a whole site go over SSL
> and just implementing that on the login areas isn't worth it?

Correct. Also, don't turn SSL into a panacea. Security is hard. Very 
hard. I'm not sure you understand that yet...

> I still have an issue with IE6 over SSL where trying to create new pages or
> edit content, produces a server not found and the padlock dissapears.

Look at where the form action points to, I suspect you haven't correctly 
configured your virtual hosting stuff in Apache and/or Zope.



Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk

More information about the Zope mailing list