[Zope] Question about Zope and security
Andrew Milton
akm at theinternet.com.au
Thu Mar 30 06:06:53 EST 2006
+-------[ bruno desthuilliers ]----------------------
| Cyrille Bonnet wrote:
| > Hi there,
| >
| > I have been telling all my clients about how great Zope is for security:
| > fine-grained permissions, security framework, roles, etc.
| >
| > Now, one of my clients has a security expert who took a close look at
| > how Zope authenticates users. The results were not good.
| >
| > The main problem is that Zope stores the username and password in a
| > cookie in clear text (base64 encoded).
|
| *Zope* don't do that. It's the (infamous) CookieCrumbler products that
| is responsible for this horror.
Lots of UserFolders do this by default for compatibility reasons.
CookieCrumbler is just following a long tradition.
It's EXACTLY the same as what you get with Basic Auth.
exUserFolder has a mode uses a random hash for cookies (I'm sure other
UserFolders have this option as well). But as others have said, if
you're posting to a form and not using https, what's the point.
--
Andrew Milton
akm at theinternet.com.au
More information about the Zope
mailing list