[Zope] Re: Zope/Plone logon security strategy etc

Tino Wildenhain tino at wildenhain.de
Wed Jan 25 17:37:44 EST 2006


michael nt milne schrieb:
> Cookie authentication can't be secure. Also I have my doubts about
> http authentication. I'll check though. Basicallx you want really good
> encryption on any logon and password etc.

You want ssl for all. There is no security if you have "logon" encrypted
in a stateless protocol as HTTP is. Basically with HTTP you identify
for every single request. So if you login "encrypted" and say, handle
the session with a one time key (You could write a userfolder or plugin
for PAS to do that) the one time key is still vulnerable if not sent
over encrypted channel. So Using apache as ssl proxy is easy and secure
and does exactly what you want. There is not really "an extra step"
because you set up apache or the like anyway on a moderate to heavy used
site as frontent to zope.

As for the security aspect, a cooky with auth credentials is equally
"secure" as Basic Auth. There is really not much of a difference -
just other HTTP header-name.

Regards
Tino


More information about the Zope mailing list