[Zope] Re: major problems placing authentication on an extranet site-security flaw?

Chris Withers chris at simplistix.co.uk
Tue Feb 14 04:26:49 EST 2006


michael nt milne wrote:
> Yes, I do realise that it's hard. Regarding the cookie comment that
> was the reason I wanted to use Apache <location> based login. 

Huh? I'm sure some people would love to know how those two things relate 
in your head...

> I do
> realise that leaving a logon cookie is insecure and that comment was
> perhaps misguided. I started to think about usability etc.

If you're lucky, you might get a system that's both insecure _and_ 
unusable ;-)

> I'm going to block 8080 at the router/firewall level as Zope obviously
> needs to keep serving through 8080 to Apache.

using iptables in the box is probably a better idea...

> As for the issue with IE6 and editing pages over SSL it all works fine
> in Firefox 1.5, so it's a browser issue which I just can't quite
> fathom just now. 

I doubt it, my guess would still be that you're doing something wrong 
somewhere...

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk



More information about the Zope mailing list