On 5/7/05, Chris McDonough <[EMAIL PROTECTED]> wrote: > Web Folders pass cookies around too, FWIW, so it's probably not strictly > necessary to use http basic auth. But without using http basic auth, > there is no way to log in unless you have them go to the web interface > first, then launch a web folder, so maybe impractical.
That's exactly what's happening at the moment; the WebDAV access is linked to via the web interface after they log in (it's only one small part of a larger system). They log in via the web, gaining a cookie which is passed to the Explorer 'web folders' thing, so when they click on the link to the WebDAV part of the site the cookie is still valid and they don't have to log in to WebDAV. * All I'm trying to do is boost the security of the system overall by ensuring an attacker can't simply sidestep the 'three login failure lockout' just by repeatedly trying to log in via WebDAV. mark * A thought occurs to me after writing it like this. Might it be possible to forbid HTTP Basic auth logins to WebDAV, so that only cookies are the allowed authentication type? > - C _______________________________________________ Zope maillist - Zope@zope.org http://mail.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope-dev )