[Zope] Re: Question about Zope and security

Bill Campbell bill at celestial.net
Thu Mar 30 15:58:56 EST 2006


On Fri, Mar 31, 2006, Cyrille Bonnet wrote:
>Thanks to all for your feedback: I understand better what is going on now.
>
>SSL is definitely the way to go, that would solve all my problems.
>
>Now, just to push the problem a bit further: ideally, I'd like to put 
>SSL just on the login form. Zope would authenticate the user in that 
>request and return a "session ID" that would then be passed back and 
>forth in each request (without SSL).
>
>That would be a balanced approach to security: I don't have to put SSL 
>across the entire site. The site will be vulnerable to man-in-the-middle 
>attacks, but only for the duration of a session.

I've done this using custom skins, copying the login_form and
modifying it to use https when submitting.

Bill
--
INTERNET:   bill at Celestial.COM  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

There are three kinds of men. The ones that learn by reading. The few who
learn by observation.  The rest of them have to pee on the electric fence
for themselves. -- Will Rogers


More information about the Zope mailing list