[Zope-dev] Re: CoreSessionTracking proposal
--- In [EMAIL PROTECTED], "Chris McDonough" [EMAIL PROTECTED] wrote: Without a client-checking scheme (such as encoding the IP address in the token), a token theft attack is very easy. As voiced by others in the thread, client-checking is not reliable, should not be a default, and maybe shouldn't be included as an option at all. I would like to control finely the session security mechanisms. I would like to be able to plug a client-checking (or anything else). This way, each WebApp developper can discriminate among its own constraints and risks. I want to be able to use different ways to secure the session. For example, ther would be cases where I would implement a client-checking mechanism based on both IP address and browser time-limited cookie. This would allow me to follow sessions on people refusing cookies and on people behind "IP dancing" proxies. I would loose session state for anyone both refusing browser cookie and being behind "IP dancing" proxy. This would be an acceptable compromise if I am manipulating highly private data. In other cases, I could accept lower-level security related to the less privacy. Godefroid Chapelle - BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium - This mail sent through SwinG Webmail: http://mail.swing.be ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope-dev] Re: CoreSessionTracking proposal
--- In [EMAIL PROTECTED], Chris McDonough [EMAIL PROTECTED] wrote: I suppose I could implement something like this (encode the IP address into the token) and provide a knob to turn it on and off on the id manager. I'm not going to do this for the first iteration, I need to get it working first. :-) Steve Spicklemire wrote: I forget now where I saw this but one of the session managers I looked at once checked the IP address of the visitor to make sure it was the same for the entire session, or longer. This at least makes it much harder to hijack a session, even though it means that long-lived cookies might be fooled as a user gets a new dynamic IP address... I think WebHub is using the IP address. WebHub is a product built and working witrh Delphi. I tried to find where they mention it on their website (http://www.webhub.com) but could not find it. In fact, if I remember well the server remembers the IP address (instead of crunching it into the id) and check the correspondence between the session id and the IP address when answering request. I was told that some ISP change your IP address during a connection but never took the time to check if it is true. -steve "Chris" == Chris McDonough [EMAIL PROTECTED] writes: Chris Session tokens, AFAICT, cannot be secured. They can only Chris be obfuscated, which mitigates the risk that they will be Chris guessed. However, there's no way to completely secure Chris them, no matter how many MD5 hashing algorithms you run on Chris them. If a session token is stolen, that's the key that Chris the "attacker" needs to visit the website "as you". I've Chris addressed this in the implementation by giving the session Chris token a random element, and this mitigates a guessing Chris attack, but not a theft attack. -- Chris McDonough Digital Creations, Publishers of Zope http://www.zope.org Cheers, Godefroid Chapelle - BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium - This mail sent through SwinG Webmail: http://mail.swing.be ___ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
[Zope] Pluggable brains
Is there a place where pluggable brains mechanism is described ? I am beginning a Zope site project. With the few I have read about pluggable brains, I feel that more info could help me in deciding which part of data has to stay in ZODB and which should go inside RDBM. Thanks. Godefroid Chapelle - BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium - This mail sent through SwinG Webmail: http://mail.swing.be ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] ZDOM and Zope release version number
Hi all, two questions : I have read the ZDOM documentation on Zope.org but it is unclear if it is already implemented or if it is still a project. I could not use it on my Free Zope account by NIP. So I was wondering if NIP was running a previous release which does not support ZDOM. Then the related question, how can I check Zope release version number form the management interface? Thanks. Godefroid Chapelle - BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium - This mail sent through SwinG Webmail: http://mail.swing.be ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
[Zope] Re: list of users tied to database
Quoting : on 13/9/00 2:47 pm, [EMAIL PROTECTED] at [EMAIL PROTECTED] wrote: I am still a newbie, but I wonder if you can use the sequence-item of a enclosing dtml-in inside the definition of a nested dtml-in yeah, I think I"ve done this before by using a dtml-let to set a variable, but can't for the life of me work out how to do it dtml-in "theOTHERintranet.acl_users.getUserNames()" dtml-in "get_email('UserName=dtml-var sequence-item')" dtml-var Emailbr /dtml-in /dtml-in So maybe, you could try something like changing your previous code to dtml-in "theOTHERintranet.acl_users.getUserNames()" dtml-let TheUserName==dtml-var sequence-item dtml-in "get_email('UserName=dtml-var TheUserName')" dtml-var Emailbr /dtml-in /dtml-let /dtml-in Hope it can help, Godefroid Chapelle - BubbleNet sprl rue Victor Horta 30 1348 Louvain-la-Neuve Belgium - This mail sent through SwinG Webmail: http://mail.swing.be ___ Zope maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )