[Zope] Re: Re: major problems placing authentication on an extranet site-security flaw?

Chris Withers chris at simplistix.co.uk
Wed Feb 15 12:44:08 EST 2006

michael nt milne wrote:
> Chris, back to throwing personal insults eh. 

It's not so much an insult as a statement of fact. Retarded means 
"slower", and given how slow you seem to be to "get" the stuff we're 
discussing, I think the shoe fits. Not necessarily meant as an insult, 
but if you want to take it as such, so be it...

> refrain from 'gratuitous insults'. That's just going to turn people
> away and harm the cause of Zope.

Some people this community could do without. I have no doubt that you'd 
argue that I am one of those people. I, of course, feel the same about 
you ;-)

>>> I hope you're making sure the "secure" bit is set on those cookies ;-)
> I take it this is a joke. 

Okay, so you don't want to bother reading specs eithers. Great. Go read 
up on the cookie spec, find out what the secure bit of a cookie does...

> Plone uses cookie authentication by default.

And Plohn is hideously insecure by default, what's your point?

> You can't log in with out that.

Sure you can, chuck ?disable_cookie_auth__=1 on the end of a url that's 
not anonymously accessible...

> There are security risks there but
> good user education with a strong password policy, no use of 'save
> password' facilities and SSL is a start at least.

Good luck, you're gonna need it...

>>> Considering you can't even quote a response correctly, I somehow doubt
> that..
> Oh come on.

What? You're mail client put >>> in front of your previous post, which 
is faulty for the majority of mail clients used by people on this list.
Fix it.

>> Fine, don't take our advice, but don't expect help either.
> What because I don't take all your advice? That's a bit elitist and
> also not good for growing the user base of Zope.

You don't take anyone's advice on this list without bitching and whining 
about it...

> And to finish on my problem with IE over SSL, I'll be implementing the
> help found here. It's recognised that there are problems and bugs in
> IE over SSL:

Your problem will undoubtedly be that access_rule put in by the Plohn 
installer. Remove it, and I'll bet your problems go away. But hey, what 
do I know?

> MSIE versions. You can work around these problems by forcing Apache
> not to use HTTP/1.1, keep-alive connections or send the SSL close
> notify messages to MSIE clients. This can be done by using the
> following directive in your SSL-aware virtual host section

So, have you actually followed this advice? What difference has it made?



Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk

More information about the Zope mailing list